Overview
overview
7Static
static
3JaffaCakes...ad.exe
windows7-x64
7JaffaCakes...ad.exe
windows10-2004-x64
7$PLUGINSDI...er.exe
windows7-x64
3$PLUGINSDI...er.exe
windows10-2004-x64
3$PLUGINSDI...ar.exe
windows7-x64
3$PLUGINSDI...ar.exe
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...st.exe
windows7-x64
7$PLUGINSDI...st.exe
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3AdminWorker.exe
windows7-x64
3AdminWorker.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7WebInstaller.exe
windows7-x64
6WebInstaller.exe
windows10-2004-x64
6WebUpdater.exe
windows7-x64
3WebUpdater.exe
windows10-2004-x64
3content/iwa-ovr.js
windows7-x64
3content/iwa-ovr.js
windows10-2004-x64
3content/iwinarcade.js
windows7-x64
3content/iwinarcade.js
windows10-2004-x64
3firefox/iW...er.exe
windows7-x64
3firefox/iW...er.exe
windows10-2004-x64
3iWinGames.exe
windows7-x64
6iWinGames.exe
windows10-2004-x64
7iWinGamesHookIE.dll
windows7-x64
6iWinGamesHookIE.dll
windows10-2004-x64
6iWinInfo.dll
windows7-x64
3iWinInfo.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
AdminWorker.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
AdminWorker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
WebInstaller.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
WebInstaller.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
WebUpdater.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
WebUpdater.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
content/iwa-ovr.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
content/iwa-ovr.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
content/iwinarcade.js
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
content/iwinarcade.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
firefox/iWinArcadeLauncher.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
firefox/iWinArcadeLauncher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
iWinGames.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
iWinGames.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
iWinGamesHookIE.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
iWinGamesHookIE.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
iWinInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
iWinInfo.dll
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
-
Size
3.6MB
-
MD5
e60156f6d9a9642465da11d0915b43ad
-
SHA1
c332bc20c25fb9bbc94185992811e977243c5664
-
SHA256
672d70ad03e526910432bcc74c21e184b33b1bedd80c6a29223f4e52175b78f1
-
SHA512
806d626f2181c3968e90e0fe254a2956807d8beaed45ea20348c121a6db425cea3008a3518c2c0e77681e08a7c7bbca686b2189aba813628f2ebbcf2185e2997
-
SSDEEP
98304:6jiX418wVrgGlg9iHjOzZYr8d/GXGtQ9TANT:6jiIBy6O9d/GXAx
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
pid Process 2324 InstGameInfoHelper.exe 2668 AdminWorker.exe 2348 AdminWorker.exe 1140 iWinTrusted.exe 696 WebInstaller.exe 1328 iwintoolbar.exe 2096 iWinGames.exe 2904 iWinTrusted.exe 1596 WebInstaller.exe 2992 AdminWorker.exe 2616 iWinTrusted.exe -
Loads dropped DLL 22 IoCs
pid Process 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 972 regsvr32.exe 1856 regsvr32.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2096 iWinGames.exe 2096 iWinGames.exe 2096 iWinGames.exe 2096 iWinGames.exe 2096 iWinGames.exe 1644 regsvr32.exe 2096 iWinGames.exe 2096 iWinGames.exe 2096 iWinGames.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} regsvr32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 57 api.ipify.org 58 api.ipify.org -
Drops file in Program Files directory 40 IoCs
description ioc Process File created C:\Program Files (x86)\iWin Games\firefox\chrome.manifest JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\maintenance.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\WebUpdater.bmp JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\WebUpdater.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\host.cfg JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offlineBg.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\iWinGames.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\AdminWorker.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\login.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline.css JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\animationBack.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\slidebackin.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\slideout.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\version JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\blank2.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\start.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\chrome\iwinarcade.jar JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\orange-im-connected-60.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\animation.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\iWinTrusted.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\WebInstaller.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\arcadeCheck.js JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline_tag.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\test.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\iWinInfo.dll JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\error.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline.jpg JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\error404.css JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\ftdownload.dat JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\iWinArcadeLauncher.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\install.rdf JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\blank.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\terrie404.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\button_click.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\download_completed.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\Uninstall.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\alert32x32.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstGameInfoHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinGames.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iwintoolbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebInstaller.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iWinGames.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iWinGames.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com iWinGames.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage iWinGames.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1" iWinGames.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iWinGames.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinGamesHookIE.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\shell\open\command JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\shell\open\command\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinGames.exe\" \"%1\"" JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\URL Protocol JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ = "iWinSuppot Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\iWin Games\\" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe\" /server" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID\ = "{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinInfo.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\ = "iWinSuppot Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 InstGameInfoHelper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd InstGameInfoHelper.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c InstGameInfoHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A InstGameInfoHelper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd InstGameInfoHelper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd InstGameInfoHelper.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 InstGameInfoHelper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 InstGameInfoHelper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 InstGameInfoHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 iWinGames.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a iWinGames.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a iWinGames.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a iWinGames.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2096 iWinGames.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1328 iwintoolbar.exe 1328 iwintoolbar.exe 2096 iWinGames.exe 2096 iWinGames.exe 2096 iWinGames.exe 2096 iWinGames.exe 2096 iWinGames.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2324 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 28 PID 2428 wrote to memory of 2324 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 28 PID 2428 wrote to memory of 2324 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 28 PID 2428 wrote to memory of 2324 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 28 PID 2428 wrote to memory of 2324 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 28 PID 2428 wrote to memory of 2324 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 28 PID 2428 wrote to memory of 2324 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 28 PID 2428 wrote to memory of 2668 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 31 PID 2428 wrote to memory of 2668 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 31 PID 2428 wrote to memory of 2668 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 31 PID 2428 wrote to memory of 2668 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 31 PID 2428 wrote to memory of 2348 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 32 PID 2428 wrote to memory of 2348 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 32 PID 2428 wrote to memory of 2348 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 32 PID 2428 wrote to memory of 2348 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 32 PID 2428 wrote to memory of 1140 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 33 PID 2428 wrote to memory of 1140 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 33 PID 2428 wrote to memory of 1140 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 33 PID 2428 wrote to memory of 1140 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 33 PID 2428 wrote to memory of 696 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 34 PID 2428 wrote to memory of 696 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 34 PID 2428 wrote to memory of 696 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 34 PID 2428 wrote to memory of 696 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 34 PID 2428 wrote to memory of 696 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 34 PID 2428 wrote to memory of 696 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 34 PID 2428 wrote to memory of 696 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 34 PID 696 wrote to memory of 972 696 WebInstaller.exe 35 PID 696 wrote to memory of 972 696 WebInstaller.exe 35 PID 696 wrote to memory of 972 696 WebInstaller.exe 35 PID 696 wrote to memory of 972 696 WebInstaller.exe 35 PID 696 wrote to memory of 972 696 WebInstaller.exe 35 PID 696 wrote to memory of 972 696 WebInstaller.exe 35 PID 696 wrote to memory of 972 696 WebInstaller.exe 35 PID 2428 wrote to memory of 1856 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 36 PID 2428 wrote to memory of 1856 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 36 PID 2428 wrote to memory of 1856 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 36 PID 2428 wrote to memory of 1856 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 36 PID 2428 wrote to memory of 1856 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 36 PID 2428 wrote to memory of 1856 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 36 PID 2428 wrote to memory of 1856 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 36 PID 2428 wrote to memory of 1328 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 37 PID 2428 wrote to memory of 1328 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 37 PID 2428 wrote to memory of 1328 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 37 PID 2428 wrote to memory of 1328 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 37 PID 2428 wrote to memory of 2096 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 39 PID 2428 wrote to memory of 2096 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 39 PID 2428 wrote to memory of 2096 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 39 PID 2428 wrote to memory of 2096 2428 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 39 PID 2096 wrote to memory of 2904 2096 iWinGames.exe 40 PID 2096 wrote to memory of 2904 2096 iWinGames.exe 40 PID 2096 wrote to memory of 2904 2096 iWinGames.exe 40 PID 2096 wrote to memory of 2904 2096 iWinGames.exe 40 PID 2096 wrote to memory of 1596 2096 iWinGames.exe 41 PID 2096 wrote to memory of 1596 2096 iWinGames.exe 41 PID 2096 wrote to memory of 1596 2096 iWinGames.exe 41 PID 2096 wrote to memory of 1596 2096 iWinGames.exe 41 PID 2096 wrote to memory of 1596 2096 iWinGames.exe 41 PID 2096 wrote to memory of 1596 2096 iWinGames.exe 41 PID 2096 wrote to memory of 1596 2096 iWinGames.exe 41 PID 1596 wrote to memory of 1644 1596 WebInstaller.exe 42 PID 1596 wrote to memory of 1644 1596 WebInstaller.exe 42 PID 1596 wrote to memory of 1644 1596 WebInstaller.exe 42 PID 1596 wrote to memory of 1644 1596 WebInstaller.exe 42 PID 1596 wrote to memory of 1644 1596 WebInstaller.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe"C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2324
-
-
C:\Program Files (x86)\iWin Games\AdminWorker.exe"C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668
-
-
C:\Program Files (x86)\iWin Games\AdminWorker.exe"C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Program Files (x86)\iWin Games\iWinTrusted.exe"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1140
-
-
C:\Program Files (x86)\iWin Games\WebInstaller.exe"C:\Program Files (x86)\iWin Games\WebInstaller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:972
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1856
-
-
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exeiwintoolbar.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1328
-
-
C:\Program Files (x86)\iWin Games\iWinGames.exe"C:\Program Files (x86)\iWin Games\iWinGames.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files (x86)\iWin Games\iWinTrusted.exe"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Program Files (x86)\iWin Games\WebInstaller.exe"C:\Program Files (x86)\iWin Games\WebInstaller.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644
-
-
-
C:\Program Files (x86)\iWin Games\AdminWorker.exe"C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Program Files (x86)\iWin Games\iWinTrusted.exe"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5c314a4674d7e2d0d0df34fb27a0983d8
SHA156b9cdb1f345be8212ffa03722d792edf09b55fa
SHA2562e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4
SHA5121d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60
-
Filesize
18B
MD548219b846f8111f0064fd38788b9ab98
SHA1542cb5f93dbf610f28d6c66fca0a49da0076d31d
SHA25638d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de
SHA51250ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad
-
Filesize
120KB
MD5067b2c0a3d6b801fc8c9bcce8411dfd1
SHA1ff26f2c84a6c256b2959c9482f45524a9ab06781
SHA2561e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d
SHA5128b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3
-
Filesize
76KB
MD5dc2c60e7d42d67a560918f8e497a0980
SHA155efe25e33e660d0284c73517a37d019777488c0
SHA256b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f
SHA512e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474
-
Filesize
251B
MD5f8ab4f67022399715ff3e862f59bd27e
SHA12606eca361d217990708bb1714e6de2d0bb21584
SHA2563db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965
SHA5129bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5
-
Filesize
74B
MD590b42fd8e93203218847a3c0a646d377
SHA10d485e2de867448e4853031d5714942128d92983
SHA256aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab
-
Filesize
5KB
MD50dc284616d7449d447d4d5a9ac2a230b
SHA1377a3077c320f639c8e58b50aab55725f2bb6e34
SHA2561a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1
SHA512044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9
-
Filesize
77KB
MD53ef7618619348fbbeca7b0f772be7e5c
SHA1d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376
-
Filesize
54KB
MD5cfc4459f1adafbe92f5c0f02c1ce07e0
SHA1f7b308ac9c4c5e367d7d76608793115cd91e3dd7
SHA256580121199e3e9bd286d8837c5405acbe9f041e13e956afc4f9eb60eab69fab12
SHA512724198bf7766a8812a35a59171bf107da90ffcc0cf975af945fc8f99b674709584bdc5de96fc0892675a9bd3204d689e39f82beda0f401eaa604cca89b3e050c
-
Filesize
8KB
MD5d5c43fe0fd3f6b5c1d2d96ef21834f9d
SHA1f8e36c4fe187396cec014bb2e733d953b3a76fdd
SHA256ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1
SHA512e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc
-
Filesize
57KB
MD594ab5e493c7fd8358c9a893d0a108d5f
SHA15dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA25654e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548581bafccddc044ba3f8646db127c11
SHA1389d9d438cdd48222e4c50a6c58bfdd77546b903
SHA25624a2345038472ee0d5ee381389052bdd4c9151451fb61588ed5c85c10f39dca2
SHA51222683fe8eb30af96cbb691ae78c532f3a833669dee1e10e48dec9821954a967bf2c67aaf26ac84dfb331973ea53d4370d60688f1b03dfd20c39842bcf47be136
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ebcbc9461cfbf341085628de7661a102
SHA1aa98698c2fb19f8b7fecaf2e6ac5be2660244cbf
SHA2569aa9436847d6bdaed235f69ad32b2060b8463b764907797fde7086cebd5f28fd
SHA51281f903a8dff4ebff19512392d3db8d52ba1389f5fa3a61a23e85a2e3b8cb1bbc02f5b224391336fc9ef7372dcc01dde1eef30734d13298b1bffe2fc3cb55fef1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\core-standard[1].js
Filesize578KB
MD52b50ac1e90a98cdb82d4ae5becb0221c
SHA1665df17df710296f9576bdc90b18640c28c94680
SHA2563aa33e1c6608b54c59d8ada00e8a1b7d5c122d699ec0fc37fdd97a02d42134f5
SHA5125370c60717ade00568ed271c3f77c02bd946686c943d9a64587bfeef0767f0c9d43babff3cd5a72976123e7e477fae91283a1799fba58481bd43f4d8d0e8f6a4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\polyfills[1].js
Filesize4KB
MD504b96b5f357a07c6675daaeffcf55074
SHA18ed411a804b9cdccdc12caaea070911ca324f13f
SHA256a0757d0ce2b9c57b119aa3fc447ab0d2049d6a963c42db7c625189e5c90fed9a
SHA512647925a5f1d7c0c0151a4ebcde56efa80e89d5632d8c371ee0b1ec807ca8d26839a8f154a716e599fe0f2ddaae7c45452e437c2fdcaa1c723078675a279453e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\header[1].js
Filesize20KB
MD504c832663ef2c497c27975760b988a6e
SHA121475d2e59bfc306d5f9eb319e9c1405bb4f571d
SHA256f24f6fe2a459a9f1766028e1cef53182a3304240c2c2b7b475ac9d2e11813b18
SHA512a0bed83e3d4880b0ff2321321d745c11f0e11f08a21090b6a3e0781f41ead7a2e5b4267e8e99ebed1783e294c1a7ac0b466d23841df7a673e6e97813fa1275b1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
5KB
MD5dd387b050a4bf3eae73f9741dcc91412
SHA18b8afc9628bdd823ae137c7ac08165ab1331a446
SHA2560af4b1ed4f5181903476d2d3ddcdd8426f540b8ef7cf690e44c857ec5cd7bdda
SHA512624d72050074fdee4a3c56ed5af230e3f668b83def795518813aab2df674014b35fdd2bae62239ae0ec7dade0ceedc37d4c502f18a90dcabcea473ef3ca12972
-
Filesize
98KB
MD5ec08c1c867ded8f5221aefb969b161c1
SHA1839866cc28b401d1d3f0f07aa8f13803f56b496a
SHA256f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be
SHA51234c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7
-
Filesize
512B
MD5e45db6ebc4de21e77ddd6ac9a7735dc7
SHA12230443ffa9c45016b17aaaf05492e155032d8b5
SHA2569af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9
SHA51295078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945
-
Filesize
10B
MD509413be548245a232bf1857a0c94524b
SHA1367cae47d819a19202c30a801d05b3114f02bcb9
SHA256cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073
SHA512953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7
-
Filesize
275B
MD52296dcd0b755b4583b5b527bfca0bd0e
SHA1b96ef22a4b6d629b7f50e630b51cd9dc631750cc
SHA25602b679743bdd60c5b3001cf1b4e515ff278cf3ad643c0076a086b7f508238800
SHA5129b8df772d9252f876a87e4d554087019217071789d383e297a2b5eba926cda3431aa80ef757d6711b7624cb20ca52799aca1259074a24cd9958d3d38a17c865a
-
Filesize
76B
MD5e41ae075dad2bf2abf87a30464c7b6f9
SHA1fecc0d941e3002e0c8c23fd1d2f30205a3bc8588
SHA2562e053808cb86ed8bbdf19f0163c0d6e89710ab236b13ea9a6710a2cb2320c357
SHA51270d77d051a73ba7aff31ae8d4633e2d90c4fca8c9583e732fc072fca53cfc347e5c8e9a898b3613e603aa43bbc50da99e6658675108a821b583308b291f94c96
-
Filesize
90KB
MD54c0f8f3cf26f0396ead85a2356807c3c
SHA1ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff
SHA256b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e
SHA512574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240
-
Filesize
119KB
MD568f57e85a24b56f8ef8147594d36cdce
SHA15a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053
SHA2565c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f
SHA5127ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042
-
Filesize
1.5MB
MD54851958fad503e3467be9b047517e4d3
SHA195d09a8bae10756fe41739336f5768dc14d27dd9
SHA2562c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28
SHA5127bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1
-
Filesize
138KB
MD5f841c2d5f930cf4ae834b67a9eba5809
SHA150d550e3d9ea5585148f644f12e33d113dd303e8
SHA2569b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7
SHA512ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702
-
Filesize
103KB
MD52977804931e9cf61cf86d1d0d0d7eb3e
SHA13e96c8baa8d6ebeb8deb021a453adc02b4f7a288
SHA256c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979
SHA5124004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14
-
Filesize
10KB
MD54c0c6163b636f627e0d505deda672c90
SHA12eae4e6f00673a03ae2434f1b22dc9218e4761a8
SHA256bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb
SHA512e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef
-
Filesize
6KB
MD50eaa468e975017262a246e03e23b3172
SHA117064408bd1c2fe2a6aa8588fba7d34018f94241
SHA2562a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6
SHA512e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7