banload | b4e5c71440c20850e73fbb8e70bb2a8b1c69ba06433f5010ef036361edace8b3

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe
Size

73KB
MD5

8e4dc96dc37e0c882500ecd0983f05fe
SHA1

c467a8399c92e0d8ff73f7bad9ea1194cae903d0
SHA256

b4e5c71440c20850e73fbb8e70bb2a8b1c69ba06433f5010ef036361edace8b3
SHA512

4f930ad43d9bcfb6a0a01d7d1d31b059e0eb5d23be2934636abd65a673020200a9afc0a43c46e9af6d1406403543b7c445dbbefb310f149fdbc755f8e3debfeb
SSDEEP

1536:yCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRO:yCaZ2Yrb0VTXJYWEsCGuiU

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

GLWorker.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GLWorker.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GLWorker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe

Executes dropped EXE 13 IoCs

Processes:

MSNGamesSetup.exeInstGameInfoHelperMSN.exeAdminWorker.exeAdminWorker.exeiWinTrusted.exeMSNGames.exeiWinTrusted.exeAdminWorker.exeiWinTrusted.exeAdminWorker.exeiWinGames - Gunner 2.exeiWinInstallOptions.exeGLWorker.exe

pid	process
2724	MSNGamesSetup.exe
2936	InstGameInfoHelperMSN.exe
1688	AdminWorker.exe
2120	AdminWorker.exe
1504	iWinTrusted.exe
2308	MSNGames.exe
2380	iWinTrusted.exe
2520	AdminWorker.exe
1456	iWinTrusted.exe
1284	AdminWorker.exe
2204	iWinGames - Gunner 2.exe
1592	iWinInstallOptions.exe
2520	GLWorker.exe

Loads dropped DLL 38 IoCs

Processes:

8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exeMSNGamesSetup.exeMSNGames.exeAdminWorker.exeiWinGames - Gunner 2.exeiWinInstallOptions.exe

pid	process
2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe
2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe
2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2724	MSNGamesSetup.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
1284	AdminWorker.exe
2204	iWinGames - Gunner 2.exe
2204	iWinGames - Gunner 2.exe
2204	iWinGames - Gunner 2.exe
2204	iWinGames - Gunner 2.exe
1592	iWinInstallOptions.exe
1284	AdminWorker.exe
1284	AdminWorker.exe
1284	AdminWorker.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MSNGames.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSNGames.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSNGames.exe

Drops file in Program Files directory 64 IoCs

Processes:

MSNGamesSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\logo-invis.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\ftdownload.dat	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pepflashplayer.dll	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\scripts\disconnected-upsell.js	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\scripts\prototype-1.6.js	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\tr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ta.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\uk.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\divider.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\arcadeCheck.js	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\coins.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\gu.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\he.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\AdminWorker.exe	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\logo.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\buttons\yesiwantabackupcd-orange-197.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\plans\plan2.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fil.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\buynow.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\blank2.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ar.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ro.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\open.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\product\feature.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\browser_cef_exe.exe	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ko.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\sk.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\d3dcompiler_47.dll	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\natives_blob.bin	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\disconnected-upsell.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\continuefreetrial-32.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\misc\information.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fi.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\success.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\WebUpdater.exe	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\common\header-small-bg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\start.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef_200_percent.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-iwin.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\ous-promo-banner.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ru.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\login.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\page-bg-swirly.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\sl.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\orange-im-connected-60.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ml.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\et.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\sr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef_extensions.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\buttons\close-blue-28.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\test.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\en-GB.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\icudtl.dat	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\pl.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\lt.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\offlineBg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\animationBack.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\download_completed.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\slidebackin.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\en-US.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\te.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\WebUpdater.bmp	MSNGamesSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AdminWorker.exeAdminWorker.exeAdminWorker.exeGLWorker.exeMSNGamesSetup.exeInstGameInfoHelperMSN.exeiWinTrusted.exeiWinInstallOptions.exe8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exeAdminWorker.exeiWinTrusted.exeMSNGames.exeiWinTrusted.exeiWinGames - Gunner 2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSNGamesSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstGameInfoHelperMSN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinInstallOptions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSNGames.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinGames - Gunner 2.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsjB118.tmp\MSNGamesSetup.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nsjB118.tmp\MSNGamesSetup.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Gunner 2.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Gunner 2.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\nsjA6AC.tmp\iWinInstallOptions.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nsjA6AC.tmp\iWinInstallOptions.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

MSNGamesSetup.exeMSNGames.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MSNGamesSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MSNGames.exe = "8000"	MSNGamesSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	MSNGames.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	MSNGames.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	MSNGames.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com	MSNGames.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DOMStorage	MSNGames.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1"	MSNGames.exe

Modifies registry class 58 IoCs

Processes:

iWinTrusted.exeGLWorker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D423A00B-BD22-5711-B50A-21069199236D}\InProcServer32	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe\" /server"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D423A00B-BD22-5711-B50A-21069199236D}	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D423A00B-BD22-5711-B50A-21069199236D}\ = "COpenControlPanel"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D423A00B-BD22-5711-B50A-21069199236D}\InProcServer32\ThreadingModel = "Apartment"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MSN Games"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D423A00B-BD22-5711-B50A-21069199236D}\AppID = "{06622D85-6856-4460-8DE1-A81921B41C4B}"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D423A00B-BD22-5711-B50A-21069199236D}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE	iWinTrusted.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MSNGames.exeMSNGamesSetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MSNGames.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	MSNGamesSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	MSNGamesSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	MSNGamesSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	MSNGames.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MSNGames.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSNGames.exe

pid process

2308 MSNGames.exe
2308 MSNGames.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GLWorker.exe

description pid process

Token: 33 2520 GLWorker.exe
Token: SeIncBasePriorityPrivilege 2520 GLWorker.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MSNGames.exe

pid process

2308 MSNGames.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MSNGames.exe

pid process

2308 MSNGames.exe
2308 MSNGames.exe
2308 MSNGames.exe
2308 MSNGames.exe
2308 MSNGames.exe

pid	process
2308	MSNGames.exe
2308	MSNGames.exe

description	pid	process
Token: 33	2520	GLWorker.exe
Token: SeIncBasePriorityPrivilege	2520	GLWorker.exe

pid	process
2308	MSNGames.exe

pid	process
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe
2308	MSNGames.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exeMSNGamesSetup.exeMSNGames.exeAdminWorker.exeAdminWorker.exeiWinGames - Gunner 2.exe

description	pid	process	target process
PID 2600 wrote to memory of 2724	2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2600 wrote to memory of 2724	2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2600 wrote to memory of 2724	2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2600 wrote to memory of 2724	2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2600 wrote to memory of 2724	2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2600 wrote to memory of 2724	2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2600 wrote to memory of 2724	2600	8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2724 wrote to memory of 2936	2724	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2724 wrote to memory of 2936	2724	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2724 wrote to memory of 2936	2724	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2724 wrote to memory of 2936	2724	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2724 wrote to memory of 2936	2724	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2724 wrote to memory of 2936	2724	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2724 wrote to memory of 2936	2724	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2724 wrote to memory of 2616	2724	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2724 wrote to memory of 2616	2724	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2724 wrote to memory of 2616	2724	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2724 wrote to memory of 2616	2724	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2724 wrote to memory of 1688	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 1688	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 1688	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 1688	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 2120	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 2120	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 2120	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 2120	2724	MSNGamesSetup.exe	AdminWorker.exe
PID 2724 wrote to memory of 1504	2724	MSNGamesSetup.exe	iWinTrusted.exe
PID 2724 wrote to memory of 1504	2724	MSNGamesSetup.exe	iWinTrusted.exe
PID 2724 wrote to memory of 1504	2724	MSNGamesSetup.exe	iWinTrusted.exe
PID 2724 wrote to memory of 1504	2724	MSNGamesSetup.exe	iWinTrusted.exe
PID 2724 wrote to memory of 2308	2724	MSNGamesSetup.exe	MSNGames.exe
PID 2724 wrote to memory of 2308	2724	MSNGamesSetup.exe	MSNGames.exe
PID 2724 wrote to memory of 2308	2724	MSNGamesSetup.exe	MSNGames.exe
PID 2724 wrote to memory of 2308	2724	MSNGamesSetup.exe	MSNGames.exe
PID 2308 wrote to memory of 2380	2308	MSNGames.exe	iWinTrusted.exe
PID 2308 wrote to memory of 2380	2308	MSNGames.exe	iWinTrusted.exe
PID 2308 wrote to memory of 2380	2308	MSNGames.exe	iWinTrusted.exe
PID 2308 wrote to memory of 2380	2308	MSNGames.exe	iWinTrusted.exe
PID 2308 wrote to memory of 2520	2308	MSNGames.exe	AdminWorker.exe
PID 2308 wrote to memory of 2520	2308	MSNGames.exe	AdminWorker.exe
PID 2308 wrote to memory of 2520	2308	MSNGames.exe	AdminWorker.exe
PID 2308 wrote to memory of 2520	2308	MSNGames.exe	AdminWorker.exe
PID 2520 wrote to memory of 1456	2520	AdminWorker.exe	iWinTrusted.exe
PID 2520 wrote to memory of 1456	2520	AdminWorker.exe	iWinTrusted.exe
PID 2520 wrote to memory of 1456	2520	AdminWorker.exe	iWinTrusted.exe
PID 2520 wrote to memory of 1456	2520	AdminWorker.exe	iWinTrusted.exe
PID 2308 wrote to memory of 1284	2308	MSNGames.exe	AdminWorker.exe
PID 2308 wrote to memory of 1284	2308	MSNGames.exe	AdminWorker.exe
PID 2308 wrote to memory of 1284	2308	MSNGames.exe	AdminWorker.exe
PID 2308 wrote to memory of 1284	2308	MSNGames.exe	AdminWorker.exe
PID 1284 wrote to memory of 2204	1284	AdminWorker.exe	iWinGames - Gunner 2.exe
PID 1284 wrote to memory of 2204	1284	AdminWorker.exe	iWinGames - Gunner 2.exe
PID 1284 wrote to memory of 2204	1284	AdminWorker.exe	iWinGames - Gunner 2.exe
PID 1284 wrote to memory of 2204	1284	AdminWorker.exe	iWinGames - Gunner 2.exe
PID 2204 wrote to memory of 1592	2204	iWinGames - Gunner 2.exe	iWinInstallOptions.exe
PID 2204 wrote to memory of 1592	2204	iWinGames - Gunner 2.exe	iWinInstallOptions.exe
PID 2204 wrote to memory of 1592	2204	iWinGames - Gunner 2.exe	iWinInstallOptions.exe
PID 2204 wrote to memory of 1592	2204	iWinGames - Gunner 2.exe	iWinInstallOptions.exe
PID 2204 wrote to memory of 1592	2204	iWinGames - Gunner 2.exe	iWinInstallOptions.exe
PID 2204 wrote to memory of 1592	2204	iWinGames - Gunner 2.exe	iWinInstallOptions.exe
PID 2204 wrote to memory of 1592	2204	iWinGames - Gunner 2.exe	iWinInstallOptions.exe
PID 2308 wrote to memory of 2520	2308	MSNGames.exe	GLWorker.exe
PID 2308 wrote to memory of 2520	2308	MSNGames.exe	GLWorker.exe
PID 2308 wrote to memory of 2520	2308	MSNGames.exe	GLWorker.exe

C:\Users\Admin\AppData\Local\Temp\8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e4dc96dc37e0c882500ecd0983f05fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\nsjB118.tmp\MSNGamesSetup.exe
  C:\Users\Admin\AppData\Local\Temp\nsjB118.tmp\MSNGamesSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\InstGameInfoHelperMSN.exe
    "C:\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\InstGameInfoHelperMSN.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\ehome\RegisterMCEApp.exe
    "C:\Windows\ehome\RegisterMCEApp.exe" /allusers "C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml"
    3⤵
    PID:2616
- - C:\Program Files (x86)\MSN Games\AdminWorker.exe
    "C:\Program Files (x86)\MSN Games\AdminWorker.exe" AddArcadeToFireWallExceptions
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Program Files (x86)\MSN Games\AdminWorker.exe
    "C:\Program Files (x86)\MSN Games\AdminWorker.exe" restoreShortcutsPathes
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
    "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1504
- - C:\Program Files (x86)\MSN Games\MSNGames.exe
    "C:\Program Files (x86)\MSN Games\MSNGames.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
      "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2380
  - - C:\Program Files (x86)\MSN Games\AdminWorker.exe
      "C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\MSN Games\\iWinTrusted.exe" "-install"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
        
        "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
  - - C:\Program Files (x86)\MSN Games\AdminWorker.exe
      "C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessAndWait "C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Gunner 2.exe" "/S" "5499088350144781303" "5499088356767708447" "" "" "price|999|gameSKU|5499088356767708447";PogoInstall;Gunner 2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Gunner 2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Gunner 2.exe" /S
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\nsjA6AC.tmp\iWinInstallOptions.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsjA6AC.tmp\iWinInstallOptions.exe" /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1592
  - - C:\Games\MSN\Gunner 2\GLWorker.exe
      "C:\Games\MSN\Gunner 2\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5499088350144781303
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\MSN\Gunner 2\glcfg.date

Filesize
670B

MD5
e5a4a6bd77be8b7751ad103024c654a1

SHA1
bc13c2af1ea8fdbe355090df5726a4a7270a5fb7

SHA256
d997cbbdb3f7615cfffde3ced49c4be288be182750f0a1e0fe4ce76351fb7d9a

SHA512
6ee4f750e71b6f8599a082a0fc2fdd0d88e96aab6debbd31df03754185b1c716ed1e5eecabe69f5ee0dedd572042501cec9743a41c52fc332882556f089d5a85

Download Submit
C:\Program Files (x86)\MSN Games\AdminWorker.exe

Filesize
617KB

MD5
6772fdec98b776314724f63be2f657b3

SHA1
6014eb84c278072a501790a9be7c061156c4b824

SHA256
8265375aa8916022cddaf5921f034b787416af5be65526f0a15e5791ebd257ed

SHA512
0bad9e075ff4df3606ae7efc3ad8e2038e0b7f69379b72bfbe2686ba6d92a7b3251b0cf021af9b9231b60b92d42a0af2f0e8a150e44b5410dab7e4b8b9a2273a

Download Submit
C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml

Filesize
1KB

MD5
5c6172ee1ded14f2cf86c93884cdebb0

SHA1
144dda81e5aafa5ce99d5368c4968f8b2d1953b2

SHA256
356a66bc5a36702825c13022be5ffc0916c9b311d59c1afd5c8de8e8a6ddbf0a

SHA512
ad64b51017877b34a1eda102057847a940c04cdbacb238cc9a06f5fbcdccd64d167e0babd782240273dd280109d80a1b4469b59a4a8c30deb74c718aaf8160bb

Download Submit
C:\Program Files (x86)\MSN Games\WebUpdater.bmp

Filesize
47KB

MD5
3bef430235c592989ef45d64b8995fda

SHA1
0d99277cdeec4845540bcf456531b57e0e939cdd

SHA256
624426067e03d13efcfc88d570cc593649b67bafd9bf673ab46046dab00d8d5d

SHA512
7dd5904c5ff5680be017238bb3ed96f6652d575d2eb6d85d2a3ac8045c58d836ddca12d73ebab831f22a9b57a0e410c2a56359b5abf567be5ec565a9c781af96

Download Submit
C:\Program Files (x86)\MSN Games\pages\blank.html

Filesize
104B

MD5
9482e5ee38471e5b6a688ad0d02fe6b4

SHA1
12dfac1206e34a47b2d3f639106056c9f7ca3e7a

SHA256
a655fa3c755d22a5a95b01a91030fe889e8c37e900226a05fc32aebd04fc4e2d

SHA512
c8b1ec8ef2d48d3c8d57c2728bb1ae6d150f43bc3ccba063b819ae1e7809331b170fc764d655db5ee11c838cbb74b91abc3abd837d98830589ee5b3aa3e905a4

Download Submit
C:\Program Files (x86)\MSN Games\pages\blank2.html

Filesize
74B

MD5
90b42fd8e93203218847a3c0a646d377

SHA1
0d485e2de867448e4853031d5714942128d92983

SHA256
aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f

SHA512
de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

Download Submit
C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg

Filesize
40KB

MD5
bf7e93622206bd7206494a7b805c0954

SHA1
5dec728c393cafd17d55a18501770ce22f16ffae

SHA256
cabc0465f851bce0342470e5f4d81a5f4045028d4093d059225b4f76eb6297d7

SHA512
f60adc9f8086793070c9fe7b7f1aab75251a4c71622c364ff6fc0e63b5f14da3e56cbca412ce2d80322713d4e4ca6944ede640878f1d115a48b08a891305d9ce

Download Submit
C:\Program Files (x86)\MSN Games\sounds\animation.wav

Filesize
77KB

MD5
3ef7618619348fbbeca7b0f772be7e5c

SHA1
d86829f29c8f22c2d3562269b3d2f0c3b822ad0c

SHA256
d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872

SHA512
b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

Download Submit
C:\Program Files (x86)\MSN Games\sounds\button_click.wav

Filesize
8KB

MD5
d5c43fe0fd3f6b5c1d2d96ef21834f9d

SHA1
f8e36c4fe187396cec014bb2e733d953b3a76fdd

SHA256
ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1

SHA512
e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

Download Submit
C:\Program Files (x86)\MSN Games\sounds\start.wav

Filesize
57KB

MD5
94ab5e493c7fd8358c9a893d0a108d5f

SHA1
5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173

SHA256
54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a

SHA512
f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab744A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8D14.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\gametitle.txt

Filesize
8B

MD5
a0b36eb2cee818082dab474220c57a27

SHA1
3294510092c0cf3015de004fdb33d13525bc9985

SHA256
1475259782959980271dfc12bcd2cfda5a2c4ec551708106aee52b0ee73cd1fb

SHA512
8312f360a907734091c5af9260cc10f849206ceccd875f281b2c1533fd485f8620eec80a96588133e79fcc2305c5af1554040cd4be01261d7005bdb6b5e35dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\tn_feat.bmp

Filesize
4KB

MD5
de49b3944a8d41f82560af9867921bce

SHA1
7618d7e8bc507c0d2d39365df2bf327997bebb4b

SHA256
ad51ae32c1a24b8afbc294604022cfedbfbddc7050bdd77e1a22b8c4b15398c0

SHA512
394df247bf1c84187220263b33a506f099c61cc4e2a8507bbcbe984d1215360445cb3c60112fa0c2bb97e6eb7a26bfcbdb26cc3eab05ba42e8c6e61276688a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\tn_feat.jpg

Filesize
1KB

MD5
0e3369e022dfa435f6a30cec24f3ba8d

SHA1
a951162baf41cba7a627389e949c60f1a022f826

SHA256
d26608e6c8d3f5adacce8011cd32b81be6fd6d1d13c77a81f31431ad9d54fb6f

SHA512
a566384a3a91eff2879137e5e588a9696a47dc30b31f2a0bb03cdce3a360b114a97bb78f1f9baadd2b77cdad51b152efebb88f4fdc66ffb9c29d3f02dc177358

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB118.tmp\ftdownload.dat

Filesize
512B

MD5
e3b30215f964837c4b9ee6935dc42d73

SHA1
ab85287c1044602581e30f24c014e58bdefd4a9f

SHA256
3f3c4dbb9714bfc3dd348de64d682f7c0842acc1dfd4528f1a5b4381175f8bd5

SHA512
a53c8589f28a331b438ff5315128661b4c31d69f1fdeeb0479874c1fcfca816d2714869bfeabfb3b3b93f9335635b83eccb6e7380ce5b8c8a7103f57e257b19e

Download Submit
\Games\MSN\Gunner 2\G2Game.ifn

Filesize
3.7MB

MD5
7e73c3dc972a910b43ddc769816384f7

SHA1
a2399a3ad1dd612d8ec3bf310c54edcf28d9ba1d

SHA256
954711f53eb0a8787b9569bf29c61b9fe8d555b947f9744fc715c15a85d9d784

SHA512
7b400f12731d8985cc0d59fbd020848008baaf5faf93bff5d11f6c8a4a22e1546f7a8b2822fb666dca9d6649d5e709ab0a1ce2525d717a1748ee537c5a809fed

Download Submit
\Program Files (x86)\MSN Games\MSNGames.exe

Filesize
10.7MB

MD5
a723f73cafced792d6b908c70368aa5e

SHA1
76725a966bb2f0151f9cbbd7ef41b4aa59255ca3

SHA256
79b411d4ec2da73268cf304e5af339544cc516f1b9469a6722afcd72cc9aca1c

SHA512
92f49b895638473084cf2c86b94ec414fc8c6ba5a1d0dba2cee999366f4f5983dff4ae986de12ad71591242aa511b732c80e28d58ee9151477e54419b8c92759

Download Submit
\Program Files (x86)\MSN Games\iWinTrusted.exe

Filesize
218KB

MD5
f117e941af67e0c73327b261d03d8293

SHA1
c00aa7b9217793451b3cb5658a4f54a313ec2e36

SHA256
cf76079b5d416815c3607b309336f5d6801a9953ad3d9d87eaebdffb531b08ea

SHA512
1e5383d26544f082a0f7b20f828597c0a7004b7f71af285b40ec241fea739a96459b6899bd36ba5b216012ce87bc7b403797dc5c481aa947a63f26aeea571b1c

Download Submit
\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Gunner 2.exe

Filesize
11.6MB

MD5
b2094a2e7226154ed218bb39a8aec715

SHA1
47cb710cbbc80c0fbfbdf085cb7911ba548970c7

SHA256
0cb84d577ccdada71de9e834e54b3115059fc98c2514e6d1b3e080c74491b73b

SHA512
4a1646b1fb28991ac0f715166f729dd7515d1cfa562ee159d372fb2a2a043e6da1ecdd497b370039c332308f306c8f481bffa650ed66c973170cba6f931c4f0d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\GameuxInstallHelper.dll

Filesize
94KB

MD5
4d3ac88054df63fc810427bdaa96c458

SHA1
e4d554e03ba91f6b53a2a80253b339f56e303c94

SHA256
b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

SHA512
d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

Download Submit
\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\InstGameInfoHelperMSN.exe

Filesize
455KB

MD5
0025cd88501fa44e826bc9ed4bdef2fb

SHA1
c1a5d54809ba50bea7c4cac90563eb50b1d973ab

SHA256
f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59

SHA512
96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

Download Submit
\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj15F2.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA6AC.tmp\iWinInstallOptions.exe

Filesize
84KB

MD5
8003a3286495deed791c357cb8fc4e82

SHA1
c3c602b0c69f1dc66c4f1e498c67e003f6f2d1e6

SHA256
556f052e6bc898af76c81ce5d00493fd0c1364fdaf2c1567409154d10ffc2cc3

SHA512
79fc49ed2fdbb4babe79937cb3c4a1db92a0ce0e948b083708d643b935cec57ea4feba3998e7530ea22aedc2eb71cfc061d259ba1d90234de968f0dfe66eecbd

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB118.tmp\MSNGamesSetup.exe

Filesize
45.6MB

MD5
7b3ec6d1800cddc1b195d98244e98e5a

SHA1
4f1f7318c220cfca2d8631dc3398c3242bf34115

SHA256
3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a

SHA512
d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB118.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB118.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAD7F.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
memory/2120-249-0x0000000076BD0000-0x0000000076CEF000-memory.dmp

Filesize
1.1MB

Download
memory/2120-250-0x0000000076AD0000-0x0000000076BCA000-memory.dmp

Filesize
1000KB

Download
memory/2204-450-0x0000000002970000-0x0000000002E05000-memory.dmp

Filesize
4.6MB

Download
memory/2308-496-0x000000000A970000-0x000000000AB7C000-memory.dmp

Filesize
2.0MB

Download
memory/2308-477-0x000000000A970000-0x000000000AB7C000-memory.dmp

Filesize
2.0MB

Download
memory/2308-478-0x000000000A970000-0x000000000AB7C000-memory.dmp

Filesize
2.0MB

Download
memory/2308-481-0x000000000A970000-0x000000000AB7C000-memory.dmp

Filesize
2.0MB

Download
memory/2308-497-0x000000000A970000-0x000000000AB7C000-memory.dmp

Filesize
2.0MB

Download
memory/2520-484-0x0000000002600000-0x0000000002800000-memory.dmp

Filesize
2.0MB

Download
memory/2520-489-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2520-490-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2520-495-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2520-491-0x0000000002600000-0x0000000002800000-memory.dmp

Filesize
2.0MB

Download
memory/2520-493-0x0000000002600000-0x0000000002800000-memory.dmp

Filesize
2.0MB

Download
memory/2520-488-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2520-485-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2520-479-0x0000000002600000-0x0000000002800000-memory.dmp

Filesize
2.0MB

Download