Malware Analysis Report

2025-01-22 23:08

Sample ID 241129-pkdssazlgp
Target b13605766b48d2d4cadea70a5656189a_JaffaCakes118
SHA256 21020225a6264c72c8b75eb76f998a40dd37f722e7276d512fb1a57e92c9063f
Tags
discovery evasion trojan banload downloader dropper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21020225a6264c72c8b75eb76f998a40dd37f722e7276d512fb1a57e92c9063f

Threat Level: Known bad

The file b13605766b48d2d4cadea70a5656189a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery evasion trojan banload downloader dropper

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 12:22

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 12:22

Reported

2024-11-29 12:25

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSN Games\locales\am.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\continuefreetrial-32.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\buttons\yesiwantabackupcd-orange-197.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\prototype-1.6.js C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\blank2.html C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\iWinTrusted.exe C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\libcef.dll C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-iwin.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\styles\disconnected-upsell.css C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\nl.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\cef_200_percent.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\chrome_elf.dll C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\plans\plan3.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\en-US.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\es-419.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\pt-PT.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\zh-TW.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\libEGL.dll C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\plans\plan2.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\ftdownload.dat C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\snapshot_blob.bin C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\disconnected-upsell.html C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\buttons\close-blue-28.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\opal.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\blank.html C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\opalbox.jpg C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\et.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ro.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\offline.jpg C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\start.wav C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pepflashplayer.dll C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\browser_cef_dll.dll C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\success.html C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\css\offline.css C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-bg.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\download_completed.wav C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ko.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\bg_header.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\page-header-small-bg.jpg C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\popups.js C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\login.html C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\nb.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\common\header-bg.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\misc\information.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ca.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\cs.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\hr.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\it.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ja.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ta.pak C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\WebUpdater.bmp C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\disconnected-upsell.js C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\arcadeCheck.js C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\error.html C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\error404.css C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\logo.jpg C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\page-bg.gif C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\InstGameInfoHelperMSN.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MSNGames.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MSN Games" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe\" /server" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe
PID 4364 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe
PID 4364 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe
PID 4892 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\InstGameInfoHelperMSN.exe
PID 4892 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\InstGameInfoHelperMSN.exe
PID 4892 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\InstGameInfoHelperMSN.exe
PID 4892 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 4892 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 4892 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 4892 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 4892 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 4892 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 4892 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 4892 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 4892 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 4892 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 4892 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 4892 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2280 wrote to memory of 3964 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2280 wrote to memory of 3964 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2280 wrote to memory of 3964 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2280 wrote to memory of 3624 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2280 wrote to memory of 3624 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2280 wrote to memory of 3624 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 3624 wrote to memory of 4340 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 3624 wrote to memory of 4340 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 3624 wrote to memory of 4340 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\InstGameInfoHelperMSN.exe

"C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\InstGameInfoHelperMSN.exe"

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" AddArcadeToFireWallExceptions

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" restoreShortcutsPathes

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\MSNGames.exe

"C:\Program Files (x86)\MSN Games\MSNGames.exe"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\MSN Games\\iWinTrusted.exe" "-install"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x42c 0x3d4

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 18.239.69.43:80 dl.iwin.com tcp
US 8.8.8.8:53 43.69.239.18.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 img.iwin.com udp
IE 3.162.140.40:80 img.iwin.com tcp
US 8.8.8.8:53 172.60.22.52.in-addr.arpa udp
US 8.8.8.8:53 40.140.162.3.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\MSNGamesSetup.exe

MD5 7b3ec6d1800cddc1b195d98244e98e5a
SHA1 4f1f7318c220cfca2d8631dc3398c3242bf34115
SHA256 3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a
SHA512 d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsf79E4.tmp\ftdownload.dat

MD5 433030c5cbb375e16cc885014191f07b
SHA1 485546229799b852d97fee65a5d899aaad757ed7
SHA256 1095affbecd87e6bc9a6a2d3ba7937a2d847480b24b2cc66458b3614beb6bed4
SHA512 c4506614047c741a2c8b039a878c7eeb387c9f136dd9be2847d1edee0848368517e18606110a5b1f225a2e937e7536420e9a68fd5bf7283e29efc41f40859091

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\InstGameInfoHelperMSN.exe

MD5 0025cd88501fa44e826bc9ed4bdef2fb
SHA1 c1a5d54809ba50bea7c4cac90563eb50b1d973ab
SHA256 f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59
SHA512 96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\gametitle.txt

MD5 b95effb5cac0ebc1ea0c2e8e846e5045
SHA1 43eeed2f329347102b81baafc0cd9e62b5eae175
SHA256 3d99b189ef5a1f1fd58289b094ea89759b812efadf4cc86598cc5c207ad51859
SHA512 43c80d1713253a54b4d31a742c4afa5d0070a0f290498a71488d9d80156295438dd294496d21cb590f9ef95a1b99cf39073b026014b375d6b8d97e9b03674f2e

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\tn_feat.bmp

MD5 49cd2c57170a77dfa6639da258bdcce1
SHA1 fa49d2bbcccaa5219c96ecec6ef9833ebda3af2a
SHA256 6dd1f4b52d063661e6da75d17880d8e0c0d5d5febff44824f646ac92faa7dc63
SHA512 d5b2302f83f2cf7c7f45c38508ccf2ca7762f6ce2feb50b48a5337bdb1592cff3ecd43bfd06da4c9e29d420bc319a7d5ab9555598365137d67ea4875868de4a0

C:\Program Files (x86)\MSN Games\MSNGames.exe

MD5 a723f73cafced792d6b908c70368aa5e
SHA1 76725a966bb2f0151f9cbbd7ef41b4aa59255ca3
SHA256 79b411d4ec2da73268cf304e5af339544cc516f1b9469a6722afcd72cc9aca1c
SHA512 92f49b895638473084cf2c86b94ec414fc8c6ba5a1d0dba2cee999366f4f5983dff4ae986de12ad71591242aa511b732c80e28d58ee9151477e54419b8c92759

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\GameuxInstallHelper.dll

MD5 4d3ac88054df63fc810427bdaa96c458
SHA1 e4d554e03ba91f6b53a2a80253b339f56e303c94
SHA256 b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6
SHA512 d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

C:\Program Files (x86)\MSN Games\AdminWorker.exe

MD5 6772fdec98b776314724f63be2f657b3
SHA1 6014eb84c278072a501790a9be7c061156c4b824
SHA256 8265375aa8916022cddaf5921f034b787416af5be65526f0a15e5791ebd257ed
SHA512 0bad9e075ff4df3606ae7efc3ad8e2038e0b7f69379b72bfbe2686ba6d92a7b3251b0cf021af9b9231b60b92d42a0af2f0e8a150e44b5410dab7e4b8b9a2273a

C:\Program Files (x86)\MSN Games\WebUpdater.exe

MD5 52eaaf6ea657484ccb5cc429c13d7035
SHA1 888fd64b7a242abd336556c0c2c302f6a3dc7cca
SHA256 af3b16498f5afdb202b0a23ff878fe7a8f63161f7eaa715ea3b45a71fbfa63fe
SHA512 43f0774b5e1efed45615743e5fc2396a4e19f74a4869cad7fb5afb80a4133499fe3b3a5610680538f0f3a569831219a2a8fbfbe2166919d0d98ad94ff0e87f3a

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

MD5 f117e941af67e0c73327b261d03d8293
SHA1 c00aa7b9217793451b3cb5658a4f54a313ec2e36
SHA256 cf76079b5d416815c3607b309336f5d6801a9953ad3d9d87eaebdffb531b08ea
SHA512 1e5383d26544f082a0f7b20f828597c0a7004b7f71af285b40ec241fea739a96459b6899bd36ba5b216012ce87bc7b403797dc5c481aa947a63f26aeea571b1c

C:\Users\Admin\AppData\Local\Temp\nsr9694.tmp\tn_feat.jpg

MD5 c2965cb96a332484fd16f6f43d367cce
SHA1 ea86229b04037c6c333150235fc9f40d7675a3c6
SHA256 ac368fbb7f15ee40eb4731284dc848a454f3a01cab11c9bfbcff8ae7c0782d72
SHA512 4a499be02e4c45e00c75b8ab5b84f37c2311db6a78fcbbbc0ace6391a067aad731e23592cd4d014757e227f344575d9857c66a60a8c3dd4b6e8b11195255a147

C:\Program Files (x86)\MSN Games\pages\blank.html

MD5 9482e5ee38471e5b6a688ad0d02fe6b4
SHA1 12dfac1206e34a47b2d3f639106056c9f7ca3e7a
SHA256 a655fa3c755d22a5a95b01a91030fe889e8c37e900226a05fc32aebd04fc4e2d
SHA512 c8b1ec8ef2d48d3c8d57c2728bb1ae6d150f43bc3ccba063b819ae1e7809331b170fc764d655db5ee11c838cbb74b91abc3abd837d98830589ee5b3aa3e905a4

C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg

MD5 bf7e93622206bd7206494a7b805c0954
SHA1 5dec728c393cafd17d55a18501770ce22f16ffae
SHA256 cabc0465f851bce0342470e5f4d81a5f4045028d4093d059225b4f76eb6297d7
SHA512 f60adc9f8086793070c9fe7b7f1aab75251a4c71622c364ff6fc0e63b5f14da3e56cbca412ce2d80322713d4e4ca6944ede640878f1d115a48b08a891305d9ce

C:\Program Files (x86)\MSN Games\pages\blank2.html

MD5 90b42fd8e93203218847a3c0a646d377
SHA1 0d485e2de867448e4853031d5714942128d92983
SHA256 aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512 de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

C:\Program Files (x86)\MSN Games\sounds\animation.wav

MD5 3ef7618619348fbbeca7b0f772be7e5c
SHA1 d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256 d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512 b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

C:\Program Files (x86)\MSN Games\WebUpdater.bmp

MD5 3bef430235c592989ef45d64b8995fda
SHA1 0d99277cdeec4845540bcf456531b57e0e939cdd
SHA256 624426067e03d13efcfc88d570cc593649b67bafd9bf673ab46046dab00d8d5d
SHA512 7dd5904c5ff5680be017238bb3ed96f6652d575d2eb6d85d2a3ac8045c58d836ddca12d73ebab831f22a9b57a0e410c2a56359b5abf567be5ec565a9c781af96

C:\Program Files (x86)\MSN Games\sounds\start.wav

MD5 94ab5e493c7fd8358c9a893d0a108d5f
SHA1 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA256 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512 f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

C:\Program Files (x86)\MSN Games\sounds\button_click.wav

MD5 d5c43fe0fd3f6b5c1d2d96ef21834f9d
SHA1 f8e36c4fe187396cec014bb2e733d953b3a76fdd
SHA256 ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1
SHA512 e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 12:22

Reported

2024-11-29 12:25

Platform

win7-20240708-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSN Games\locales\am.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\kn.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\mr.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\sl.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pepflashplayer.dll C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\misc\information.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\MSNGames-MCE.lnk C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\da.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\el.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fil.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\it.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\d3dcompiler_47.dll C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\buynow.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\maintenance.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ca.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\end.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\success.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\page-bg.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\es.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\sv.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\zh-TW.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\disconnected-upsell.js C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\start.wav C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\expired.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\buttons\yesiwantabackupcd-orange-197.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\page-bg-swirly.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\offline_tag.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\id.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\natives_blob.bin C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\css\offline.css C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\bg_header.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\buttons\continue-orange-132.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\ous-promo-banner.jpg C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\styles\shoppingcart.css C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\animation.wav C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\WebUpdater.bmp C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-bg.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\uk.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\opal.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\blank2.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fr.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\he.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\hr.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\logo-invis.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\coins.wav C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\te.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\common\loading.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\popups.js C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\test.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\lt.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\lv.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\browser_cef_exe.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\operationfailed.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\sr.pak C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\disconnected-upsell.html C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\arcadeCheck.js C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\offline.jpg C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\offlineBg.gif C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MSNGames.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe\" /server" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\ = "%CommonProgramFiles%\\System\\ado\\msadox.dll" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ProgID C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MSN Games" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ = "ADOX.Catalog.6.0" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32 C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ProgID\ = "ADOX.Catalog.6.0" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\VersionIndependentProgID\ = "ADOX.Catalog.6.0" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\VersionIndependentProgID C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB} C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\ThreadingModel = "Apartment" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe
PID 1904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe
PID 1904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe
PID 1904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe
PID 1904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe
PID 1904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe
PID 1904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe
PID 2768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe
PID 2768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe
PID 2768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe
PID 2768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe
PID 2768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe
PID 2768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe
PID 2768 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe
PID 2768 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2768 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2768 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2768 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2768 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2768 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2768 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2768 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2768 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2768 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2768 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2768 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2768 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2088 wrote to memory of 2820 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2088 wrote to memory of 2820 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2088 wrote to memory of 2820 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2088 wrote to memory of 2820 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2088 wrote to memory of 2592 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2088 wrote to memory of 2592 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2088 wrote to memory of 2592 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2088 wrote to memory of 2592 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2592 wrote to memory of 2612 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2592 wrote to memory of 2612 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2592 wrote to memory of 2612 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2592 wrote to memory of 2612 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2088 wrote to memory of 1860 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2088 wrote to memory of 1860 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2088 wrote to memory of 1860 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2088 wrote to memory of 1860 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1860 wrote to memory of 1916 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1860 wrote to memory of 1916 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1860 wrote to memory of 1916 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1860 wrote to memory of 1916 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe
PID 1916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe
PID 1916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe
PID 1916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe
PID 1916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe
PID 1916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe
PID 1916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe
PID 2088 wrote to memory of 2724 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Games\MSN\Infinite Crosswords\GLWorker.exe
PID 2088 wrote to memory of 2724 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Games\MSN\Infinite Crosswords\GLWorker.exe
PID 2088 wrote to memory of 2724 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Games\MSN\Infinite Crosswords\GLWorker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b13605766b48d2d4cadea70a5656189a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe

"C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe"

C:\Windows\ehome\RegisterMCEApp.exe

"C:\Windows\ehome\RegisterMCEApp.exe" /allusers "C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml"

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" AddArcadeToFireWallExceptions

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" restoreShortcutsPathes

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\MSNGames.exe

"C:\Program Files (x86)\MSN Games\MSNGames.exe"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\MSN Games\\iWinTrusted.exe" "-install"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessAndWait "C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe" "/S" "6577137636012359169" "6577137643961526784" "" "" "price|999|gameSKU|6577137643961526784";PogoInstall;Infinite Crosswords

C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe

"C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe" /S

C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe

"C:\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe" /S

C:\Games\MSN\Infinite Crosswords\GLWorker.exe

"C:\Games\MSN\Infinite Crosswords\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid6577137636012359169

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp
NL 18.239.69.73:80 dl.iwin.com tcp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 img.iwin.com udp
IE 3.162.140.81:80 img.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 static.iwincdn.com udp
US 8.8.8.8:53 connect.facebook.net udp
DE 157.240.253.1:80 connect.facebook.net tcp
FR 68.232.35.54:80 static.iwincdn.com tcp
FR 68.232.35.54:80 static.iwincdn.com tcp
GB 172.217.169.40:80 www.googletagmanager.com tcp
US 52.22.60.172:80 gm-msn.iwin.com tcp
DE 157.240.253.1:443 connect.facebook.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 download.iwincdn.com udp
US 8.8.8.8:53 o.pki.goog udp
PL 93.184.221.131:80 download.iwincdn.com tcp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 ws-msn.iwin.com udp
US 52.22.60.172:80 ws-msn.iwin.com tcp
US 52.22.60.172:80 ws-msn.iwin.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 52.22.60.172:80 ws-msn.iwin.com tcp
US 52.22.60.172:80 ws-msn.iwin.com tcp
NL 18.239.69.73:80 dl.iwin.com tcp
US 52.22.60.172:80 ws-msn.iwin.com tcp
US 52.22.60.172:80 ws-msn.iwin.com tcp
US 8.8.8.8:53 cimg.iwin.com udp
IE 3.162.140.40:80 cimg.iwin.com tcp
IE 3.162.140.40:80 cimg.iwin.com tcp
IE 3.162.140.40:80 cimg.iwin.com tcp
IE 3.162.140.40:80 cimg.iwin.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\MSNGamesSetup.exe

MD5 7b3ec6d1800cddc1b195d98244e98e5a
SHA1 4f1f7318c220cfca2d8631dc3398c3242bf34115
SHA256 3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a
SHA512 d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

\Users\Admin\AppData\Local\Temp\nsy1517.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsjEB4A.tmp\ftdownload.dat

MD5 433030c5cbb375e16cc885014191f07b
SHA1 485546229799b852d97fee65a5d899aaad757ed7
SHA256 1095affbecd87e6bc9a6a2d3ba7937a2d847480b24b2cc66458b3614beb6bed4
SHA512 c4506614047c741a2c8b039a878c7eeb387c9f136dd9be2847d1edee0848368517e18606110a5b1f225a2e937e7536420e9a68fd5bf7283e29efc41f40859091

\Users\Admin\AppData\Local\Temp\nsy1517.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

\Users\Admin\AppData\Local\Temp\nsy1517.tmp\InstGameInfoHelperMSN.exe

MD5 0025cd88501fa44e826bc9ed4bdef2fb
SHA1 c1a5d54809ba50bea7c4cac90563eb50b1d973ab
SHA256 f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59
SHA512 96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\gametitle.txt

MD5 b95effb5cac0ebc1ea0c2e8e846e5045
SHA1 43eeed2f329347102b81baafc0cd9e62b5eae175
SHA256 3d99b189ef5a1f1fd58289b094ea89759b812efadf4cc86598cc5c207ad51859
SHA512 43c80d1713253a54b4d31a742c4afa5d0070a0f290498a71488d9d80156295438dd294496d21cb590f9ef95a1b99cf39073b026014b375d6b8d97e9b03674f2e

C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\tn_feat.bmp

MD5 49cd2c57170a77dfa6639da258bdcce1
SHA1 fa49d2bbcccaa5219c96ecec6ef9833ebda3af2a
SHA256 6dd1f4b52d063661e6da75d17880d8e0c0d5d5febff44824f646ac92faa7dc63
SHA512 d5b2302f83f2cf7c7f45c38508ccf2ca7762f6ce2feb50b48a5337bdb1592cff3ecd43bfd06da4c9e29d420bc319a7d5ab9555598365137d67ea4875868de4a0

\Program Files (x86)\MSN Games\MSNGames.exe

MD5 a723f73cafced792d6b908c70368aa5e
SHA1 76725a966bb2f0151f9cbbd7ef41b4aa59255ca3
SHA256 79b411d4ec2da73268cf304e5af339544cc516f1b9469a6722afcd72cc9aca1c
SHA512 92f49b895638473084cf2c86b94ec414fc8c6ba5a1d0dba2cee999366f4f5983dff4ae986de12ad71591242aa511b732c80e28d58ee9151477e54419b8c92759

\Users\Admin\AppData\Local\Temp\nsy1517.tmp\GameuxInstallHelper.dll

MD5 4d3ac88054df63fc810427bdaa96c458
SHA1 e4d554e03ba91f6b53a2a80253b339f56e303c94
SHA256 b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6
SHA512 d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

C:\Users\Admin\AppData\Local\Temp\Cab4E34.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Program Files (x86)\MSN Games\AdminWorker.exe

MD5 6772fdec98b776314724f63be2f657b3
SHA1 6014eb84c278072a501790a9be7c061156c4b824
SHA256 8265375aa8916022cddaf5921f034b787416af5be65526f0a15e5791ebd257ed
SHA512 0bad9e075ff4df3606ae7efc3ad8e2038e0b7f69379b72bfbe2686ba6d92a7b3251b0cf021af9b9231b60b92d42a0af2f0e8a150e44b5410dab7e4b8b9a2273a

C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml

MD5 e654d0f26590a59d0d6125dc34fdb1ab
SHA1 d1988bac2c8b16494e1fa7a233ebf9e9d330aad3
SHA256 c238b3efb9d5cb59ee4953b4ac261100848534ccf57678ce8a92620f1a07c139
SHA512 49ebe2328438d6b8d72378cf2492e89c7a37514bb43cd6fc6af2a0af37c9fc79c6242d6e193d65e43fd725de4357f56a0119e4c38332b40eba34bab9858b4243

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

MD5 f117e941af67e0c73327b261d03d8293
SHA1 c00aa7b9217793451b3cb5658a4f54a313ec2e36
SHA256 cf76079b5d416815c3607b309336f5d6801a9953ad3d9d87eaebdffb531b08ea
SHA512 1e5383d26544f082a0f7b20f828597c0a7004b7f71af285b40ec241fea739a96459b6899bd36ba5b216012ce87bc7b403797dc5c481aa947a63f26aeea571b1c

C:\Users\Admin\AppData\Local\Temp\nsy1517.tmp\tn_feat.jpg

MD5 c2965cb96a332484fd16f6f43d367cce
SHA1 ea86229b04037c6c333150235fc9f40d7675a3c6
SHA256 ac368fbb7f15ee40eb4731284dc848a454f3a01cab11c9bfbcff8ae7c0782d72
SHA512 4a499be02e4c45e00c75b8ab5b84f37c2311db6a78fcbbbc0ace6391a067aad731e23592cd4d014757e227f344575d9857c66a60a8c3dd4b6e8b11195255a147

C:\Program Files (x86)\MSN Games\pages\blank.html

MD5 9482e5ee38471e5b6a688ad0d02fe6b4
SHA1 12dfac1206e34a47b2d3f639106056c9f7ca3e7a
SHA256 a655fa3c755d22a5a95b01a91030fe889e8c37e900226a05fc32aebd04fc4e2d
SHA512 c8b1ec8ef2d48d3c8d57c2728bb1ae6d150f43bc3ccba063b819ae1e7809331b170fc764d655db5ee11c838cbb74b91abc3abd837d98830589ee5b3aa3e905a4

C:\Program Files (x86)\MSN Games\pages\blank2.html

MD5 90b42fd8e93203218847a3c0a646d377
SHA1 0d485e2de867448e4853031d5714942128d92983
SHA256 aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512 de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg

MD5 bf7e93622206bd7206494a7b805c0954
SHA1 5dec728c393cafd17d55a18501770ce22f16ffae
SHA256 cabc0465f851bce0342470e5f4d81a5f4045028d4093d059225b4f76eb6297d7
SHA512 f60adc9f8086793070c9fe7b7f1aab75251a4c71622c364ff6fc0e63b5f14da3e56cbca412ce2d80322713d4e4ca6944ede640878f1d115a48b08a891305d9ce

C:\Program Files (x86)\MSN Games\sounds\animation.wav

MD5 3ef7618619348fbbeca7b0f772be7e5c
SHA1 d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256 d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512 b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

C:\Program Files (x86)\MSN Games\WebUpdater.bmp

MD5 3bef430235c592989ef45d64b8995fda
SHA1 0d99277cdeec4845540bcf456531b57e0e939cdd
SHA256 624426067e03d13efcfc88d570cc593649b67bafd9bf673ab46046dab00d8d5d
SHA512 7dd5904c5ff5680be017238bb3ed96f6652d575d2eb6d85d2a3ac8045c58d836ddca12d73ebab831f22a9b57a0e410c2a56359b5abf567be5ec565a9c781af96

C:\Program Files (x86)\MSN Games\sounds\start.wav

MD5 94ab5e493c7fd8358c9a893d0a108d5f
SHA1 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA256 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512 f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

C:\Program Files (x86)\MSN Games\sounds\button_click.wav

MD5 d5c43fe0fd3f6b5c1d2d96ef21834f9d
SHA1 f8e36c4fe187396cec014bb2e733d953b3a76fdd
SHA256 ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1
SHA512 e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

C:\Users\Admin\AppData\Local\Temp\Tar64CC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe

MD5 814bfe8f14c329e1442c3e3a8d8293b5
SHA1 d453cdd5ca2819bda9c0a31bffaa9978503b6094
SHA256 86ae8e00b375b9d576c8b2c859c3971cae7ff17c6133c79b1821fb76586041a4
SHA512 a1516e11eac7f57cebbbf7fcca9f9a932f4d92841f655a7c63b56aca73903c3faa48ebb4cb357afde963abac84959277c080ae288da0833a303152e9246c47bf

\Games\MSN\Infinite Crosswords\InfiniteCrosswords.ifn

MD5 d9491b48ad8ba2e01bb4c2227319c55c
SHA1 f3fb231ee2c9c941a20911bb5c97db15938be785
SHA256 32956cf2acbd4fea7663af2177c5323d0397b285e4096e150e8ae1ffb8f1d1d1
SHA512 7ac18e7aefede8d0697273fba47d28089739bd3cdf1f1d27f2560a0dd2739e9cf12db8c787186ee33e23022a24ca4cbea5952bb361839287ac27f11a1e36ba47

memory/1916-445-0x0000000020000000-0x00000000204B6000-memory.dmp

memory/1916-446-0x0000000020000000-0x00000000204B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst77B0.tmp\iWinInstallOptions.exe

MD5 8003a3286495deed791c357cb8fc4e82
SHA1 c3c602b0c69f1dc66c4f1e498c67e003f6f2d1e6
SHA256 556f052e6bc898af76c81ce5d00493fd0c1364fdaf2c1567409154d10ffc2cc3
SHA512 79fc49ed2fdbb4babe79937cb3c4a1db92a0ce0e948b083708d643b935cec57ea4feba3998e7530ea22aedc2eb71cfc061d259ba1d90234de968f0dfe66eecbd

C:\Users\Admin\AppData\Local\Temp\nst7C42.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

memory/2088-472-0x000000000A7C0000-0x000000000A9CC000-memory.dmp

memory/2088-473-0x000000000A7C0000-0x000000000A9CC000-memory.dmp

memory/2724-480-0x0000000002530000-0x0000000002730000-memory.dmp

memory/2724-476-0x0000000002530000-0x0000000002730000-memory.dmp

memory/2724-475-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2088-474-0x000000000A7C0000-0x000000000A9CC000-memory.dmp

memory/2724-490-0x0000000002530000-0x0000000002730000-memory.dmp

memory/2724-492-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2724-487-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2724-486-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2724-485-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2724-488-0x0000000002530000-0x0000000002730000-memory.dmp

memory/2088-503-0x000000000A7C0000-0x000000000A9CC000-memory.dmp

memory/2088-504-0x000000000A7C0000-0x000000000A9CC000-memory.dmp