Malware Analysis Report

2025-08-05 23:22

Sample ID 250120-nsybqaxlas
Target JaffaCakes118_e60156f6d9a9642465da11d0915b43ad
SHA256 672d70ad03e526910432bcc74c21e184b33b1bedd80c6a29223f4e52175b78f1
Tags
adware discovery stealer execution persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

672d70ad03e526910432bcc74c21e184b33b1bedd80c6a29223f4e52175b78f1

Threat Level: Shows suspicious behavior

The file JaffaCakes118_e60156f6d9a9642465da11d0915b43ad was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer execution persistence

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Browser Information Discovery

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-20 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:48

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinTrusted.exe\" /server" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinTrusted.exe" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 3172 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 3172 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 3172 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 3172 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 3172 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2228 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2228 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2228 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3172 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 3172 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 3172 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4968 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 4968 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 4968 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

Processes

C:\Users\Admin\AppData\Local\Temp\iWinGames.exe

"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"

C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install

C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" StartProcessNoWait "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" "-install"

C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x494

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 update.iwin.com udp
US 52.22.60.172:80 update.iwin.com tcp
US 8.8.8.8:53 gm.iwin.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.60.22.52.in-addr.arpa udp
US 52.22.60.172:80 gm.iwin.com tcp
US 8.8.8.8:53 gm.iwin.com udp
US 3.212.86.116:80 gm.iwin.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 116.86.212.3.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.89.16.2.in-addr.arpa udp

Files

memory/3172-0-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/3172-1-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

memory/4584-2-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4584-3-0x0000000000590000-0x0000000000592000-memory.dmp

memory/4584-5-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4968-6-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-10-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3960-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3172-16-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

memory/3172-17-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/3172-23-0x0000000000400000-0x0000000000FCD000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:48

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3640 wrote to memory of 856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3640 wrote to memory of 856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 120.218.122.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\iWin Games\AdminWorker.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\iWinArcadeLauncher.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File opened for modification C:\Program Files (x86)\iWin Games\ftdownload.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\animation.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\iWinTrusted.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\arcadeCheck.js C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\maintenance.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\terrie404.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\iWinInfo.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\chrome.manifest C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline.css C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\slideout.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\WebUpdater.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\install.rdf C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\version C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\blank2.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline_tag.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\host.cfg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\chrome\iwinarcade.jar C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\error.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\login.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline.jpg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\orange-im-connected-60.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\start.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\blank.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offlineBg.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\test.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\animationBack.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\button_click.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\download_completed.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\slidebackin.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\ftdownload.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\WebUpdater.bmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\error404.css C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\iWin Games\iWinGames.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Program Files (x86)\\iWin Games\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinInfo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iwin C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\iWin Games\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe\" /server" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe
PID 2940 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe
PID 2940 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe
PID 2940 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2940 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2940 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2940 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2940 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2940 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2940 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2940 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2940 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2940 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2940 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2940 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 3488 wrote to memory of 3416 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3488 wrote to memory of 3416 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3488 wrote to memory of 3416 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2940 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2940 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2940 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2940 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe
PID 2940 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe
PID 2940 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe
PID 2940 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinGames.exe
PID 2940 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinGames.exe
PID 2940 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinGames.exe
PID 4352 wrote to memory of 3484 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 4352 wrote to memory of 3484 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 4352 wrote to memory of 3484 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 4352 wrote to memory of 3632 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 4352 wrote to memory of 3632 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 4352 wrote to memory of 3632 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 3632 wrote to memory of 2716 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3632 wrote to memory of 2716 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3632 wrote to memory of 2716 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 4484 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 4352 wrote to memory of 4484 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 4352 wrote to memory of 4484 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 4484 wrote to memory of 4200 N/A C:\Program Files (x86)\iWin Games\AdminWorker.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 4484 wrote to memory of 4200 N/A C:\Program Files (x86)\iWin Games\AdminWorker.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 4484 wrote to memory of 4200 N/A C:\Program Files (x86)\iWin Games\AdminWorker.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe

"C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe"

C:\Program Files (x86)\iWin Games\AdminWorker.exe

"C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions

C:\Program Files (x86)\iWin Games\AdminWorker.exe

"C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install

C:\Program Files (x86)\iWin Games\WebInstaller.exe

"C:\Program Files (x86)\iWin Games\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe

iwintoolbar.exe

C:\Program Files (x86)\iWin Games\iWinGames.exe

"C:\Program Files (x86)\iWin Games\iWinGames.exe"

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install

C:\Program Files (x86)\iWin Games\WebInstaller.exe

"C:\Program Files (x86)\iWin Games\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"

C:\Program Files (x86)\iWin Games\AdminWorker.exe

"C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x518

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.iwin.com udp
US 34.206.121.130:80 www.iwin.com tcp
US 34.206.121.130:443 www.iwin.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
FR 3.162.33.170:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 img.iwin.com udp
US 8.8.8.8:53 130.121.206.34.in-addr.arpa udp
US 8.8.8.8:53 109.193.84.52.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp
US 8.8.8.8:53 170.33.162.3.in-addr.arpa udp
FR 13.32.145.54:80 img.iwin.com tcp
US 8.8.8.8:53 54.145.32.13.in-addr.arpa udp
US 8.8.8.8:53 update.iwin.com udp
US 54.145.41.76:80 update.iwin.com tcp
US 8.8.8.8:53 gm.iwin.com udp
US 54.145.41.76:80 gm.iwin.com tcp
US 8.8.8.8:53 76.41.145.54.in-addr.arpa udp
US 54.145.41.76:80 gm.iwin.com tcp
US 8.8.8.8:53 gm.iwin.com udp
US 54.145.41.76:80 gm.iwin.com tcp
US 52.22.60.172:80 gm.iwin.com tcp
US 8.8.8.8:53 172.60.22.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\System.dll

MD5 4c0c6163b636f627e0d505deda672c90
SHA1 2eae4e6f00673a03ae2434f1b22dc9218e4761a8
SHA256 bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb
SHA512 e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\nsExec.dll

MD5 0eaa468e975017262a246e03e23b3172
SHA1 17064408bd1c2fe2a6aa8588fba7d34018f94241
SHA256 2a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6
SHA512 e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe

MD5 ec08c1c867ded8f5221aefb969b161c1
SHA1 839866cc28b401d1d3f0f07aa8f13803f56b496a
SHA256 f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be
SHA512 34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\ftdownload.dat

MD5 e45db6ebc4de21e77ddd6ac9a7735dc7
SHA1 2230443ffa9c45016b17aaaf05492e155032d8b5
SHA256 9af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9
SHA512 95078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\gametitle.txt

MD5 09413be548245a232bf1857a0c94524b
SHA1 367cae47d819a19202c30a801d05b3114f02bcb9
SHA256 cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073
SHA512 953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\tn_feat.bmp

MD5 1da2c13d7f658d4dbda4cd08933cba0d
SHA1 55447016919661e7f86dee62f620a3640dcf31c0
SHA256 61ba87f145a9edd68a2d6a7f1f8b840f992f00827bb7a8f86aad728d7d8969c4
SHA512 9c770ac6757904d6c81e7f6cc18f97acb3ed4379975b6981744b339b959ab906699a4f53c4d5300047abfda333b6cbda48c884da76dae8cd4d3b93415686f05d

C:\Program Files (x86)\iWin Games\iWinGames.exe

MD5 4851958fad503e3467be9b047517e4d3
SHA1 95d09a8bae10756fe41739336f5768dc14d27dd9
SHA256 2c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28
SHA512 7bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1

C:\Program Files (x86)\iWin Games\AdminWorker.exe

MD5 4c0f8f3cf26f0396ead85a2356807c3c
SHA1 ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff
SHA256 b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e
SHA512 574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240

memory/3672-84-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3672-86-0x0000000000490000-0x0000000000492000-memory.dmp

C:\Program Files (x86)\iWin Games\WebUpdater.exe

MD5 3287302f72a0011d9460da21c7b37ae1
SHA1 e7430de4d6a8bbd2b79a80ec75b09240aef74cae
SHA256 dca222382828a4e2a3c9dbe03dc637b704ea3b9e078595e3e18980a1fe3daa23
SHA512 835b401a6952ba9d176fa531bd250925488b0464e64627003dbd0f791fe77b3951909296ebfb702e8d3ca045f801c98db043446d49642d77fb21d11fa5b0811d

memory/3672-89-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2244-91-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/2244-93-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

MD5 dc2c60e7d42d67a560918f8e497a0980
SHA1 55efe25e33e660d0284c73517a37d019777488c0
SHA256 b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f
SHA512 e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474

memory/3228-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3228-98-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Program Files (x86)\iWin Games\WebInstaller.exe

MD5 68f57e85a24b56f8ef8147594d36cdce
SHA1 5a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053
SHA256 5c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f
SHA512 7ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042

C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll

MD5 f841c2d5f930cf4ae834b67a9eba5809
SHA1 50d550e3d9ea5585148f644f12e33d113dd303e8
SHA256 9b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7
SHA512 ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702

C:\Program Files (x86)\iWin Games\iWinInfo.dll

MD5 067b2c0a3d6b801fc8c9bcce8411dfd1
SHA1 ff26f2c84a6c256b2959c9482f45524a9ab06781
SHA256 1e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d
SHA512 8b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3

C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\IwinToolbar.exe

MD5 2977804931e9cf61cf86d1d0d0d7eb3e
SHA1 3e96c8baa8d6ebeb8deb021a453adc02b4f7a288
SHA256 c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979
SHA512 4004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14

memory/1772-111-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1772-112-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4352-120-0x0000000000400000-0x0000000000FCD000-memory.dmp

C:\Program Files (x86)\iWin Games\host.cfg

MD5 48219b846f8111f0064fd38788b9ab98
SHA1 542cb5f93dbf610f28d6c66fca0a49da0076d31d
SHA256 38d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de
SHA512 50ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad

C:\Program Files (x86)\iWin Games\firefox\version

MD5 c314a4674d7e2d0d0df34fb27a0983d8
SHA1 56b9cdb1f345be8212ffa03722d792edf09b55fa
SHA256 2e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4
SHA512 1d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60

memory/3484-127-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3484-130-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4484-135-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4200-136-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4200-138-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Program Files (x86)\iWin Games\pages\blank.html

MD5 f8ab4f67022399715ff3e862f59bd27e
SHA1 2606eca361d217990708bb1714e6de2d0bb21584
SHA256 3db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965
SHA512 9bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5

C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif

MD5 0dc284616d7449d447d4d5a9ac2a230b
SHA1 377a3077c320f639c8e58b50aab55725f2bb6e34
SHA256 1a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1
SHA512 044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9

C:\Program Files (x86)\iWin Games\pages\blank2.html

MD5 90b42fd8e93203218847a3c0a646d377
SHA1 0d485e2de867448e4853031d5714942128d92983
SHA256 aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512 de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

C:\Program Files (x86)\iWin Games\sounds\animation.wav

MD5 3ef7618619348fbbeca7b0f772be7e5c
SHA1 d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256 d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512 b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

C:\Program Files (x86)\iWin Games\sounds\start.wav

MD5 94ab5e493c7fd8358c9a893d0a108d5f
SHA1 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA256 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512 f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

memory/4352-153-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/4352-159-0x0000000000400000-0x0000000000FCD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iwin.com udp
US 18.210.70.237:80 www.iwin.com tcp
US 18.210.70.237:443 www.iwin.com tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
FR 3.164.163.127:80 crt.rootg2.amazontrust.com tcp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
FR 18.245.196.26:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 img.iwin.com udp
FR 13.32.145.87:80 img.iwin.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 92.122.218.16:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FR 23.57.4.240:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabAFA2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAFC4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 602251d3109a9d5051c3eca81b64c50d
SHA1 cfeffa97d51d8094e7a2cf6c73b2a013c5694723
SHA256 6ceec25c5ab42306037835493b492cabcfe28f4af45e5b8fce09410ddbb0dc7a
SHA512 fd669209685fd6b3e6b2bc11cc91a7688cf8912374027930ecb07b2d3e118169a36fc529e53b6b5527d803112d676ee21a135b5aa92b36528de6a139ce026b46

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20241010-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe"

Network

N/A

Files

memory/1156-1-0x0000000000020000-0x0000000000022000-memory.dmp

memory/1156-0-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1156-2-0x0000000000400000-0x0000000000462000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240729-en

Max time kernel

63s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"

Network

N/A

Files

memory/1172-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1172-1-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/1172-2-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwa-ovr.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwa-ovr.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwa-ovr.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwa-ovr.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2716 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2716 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 114.218.122.92.in-addr.arpa udp
US 8.8.8.8:53 45.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4768-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4768-1-0x00000000006F0000-0x00000000006F2000-memory.dmp

memory/4768-3-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwinarcade.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwinarcade.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20241010-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1" C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2700 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2700 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2700 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2952 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2952 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2700 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2700 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2700 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2868 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2868 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2868 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2868 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

Processes

C:\Users\Admin\AppData\Local\Temp\iWinGames.exe

"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"

C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install

C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" StartProcessNoWait "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" "-install"

C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.iwin.com udp
US 8.8.8.8:53 gm.iwin.com udp
US 54.145.41.76:80 gm.iwin.com tcp
US 54.145.41.76:80 gm.iwin.com tcp
US 8.8.8.8:53 gm.iwin.com udp
US 3.212.86.116:80 gm.iwin.com tcp
US 8.8.8.8:53 static.iwincdn.com udp
US 8.8.8.8:53 connect.facebook.net udp
FR 13.32.145.79:80 static.iwincdn.com tcp
FR 13.32.145.79:80 static.iwincdn.com tcp
GB 216.58.204.72:80 www.googletagmanager.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 142.250.178.3:80 o.pki.goog tcp
DE 157.240.253.1:80 connect.facebook.net tcp
DE 157.240.253.1:443 connect.facebook.net tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
FR 23.57.4.240:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp

Files

memory/2700-0-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2700-1-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2700-2-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/2700-3-0x00000000030F0000-0x0000000003123000-memory.dmp

memory/2700-4-0x00000000030F0000-0x0000000003123000-memory.dmp

memory/2700-5-0x00000000030F0000-0x0000000003123000-memory.dmp

memory/2792-6-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2792-7-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2792-9-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2700-10-0x00000000040D0000-0x0000000004109000-memory.dmp

memory/2700-11-0x00000000040D0000-0x0000000004109000-memory.dmp

memory/2868-12-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2868-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/468-15-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\1356VOHZ.htm

MD5 dd387b050a4bf3eae73f9741dcc91412
SHA1 8b8afc9628bdd823ae137c7ac08165ab1331a446
SHA256 0af4b1ed4f5181903476d2d3ddcdd8426f540b8ef7cf690e44c857ec5cd7bdda
SHA512 624d72050074fdee4a3c56ed5af230e3f668b83def795518813aab2df674014b35fdd2bae62239ae0ec7dade0ceedc37d4c502f18a90dcabcea473ef3ca12972

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\polyfills[1].js

MD5 04b96b5f357a07c6675daaeffcf55074
SHA1 8ed411a804b9cdccdc12caaea070911ca324f13f
SHA256 a0757d0ce2b9c57b119aa3fc447ab0d2049d6a963c42db7c625189e5c90fed9a
SHA512 647925a5f1d7c0c0151a4ebcde56efa80e89d5632d8c371ee0b1ec807ca8d26839a8f154a716e599fe0f2ddaae7c45452e437c2fdcaa1c723078675a279453e2

C:\Users\Admin\AppData\Local\Temp\Cab540B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar54E9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\core-standard[1].js

MD5 2b50ac1e90a98cdb82d4ae5becb0221c
SHA1 665df17df710296f9576bdc90b18640c28c94680
SHA256 3aa33e1c6608b54c59d8ada00e8a1b7d5c122d699ec0fc37fdd97a02d42134f5
SHA512 5370c60717ade00568ed271c3f77c02bd946686c943d9a64587bfeef0767f0c9d43babff3cd5a72976123e7e477fae91283a1799fba58481bd43f4d8d0e8f6a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\header[1].js

MD5 04c832663ef2c497c27975760b988a6e
SHA1 21475d2e59bfc306d5f9eb319e9c1405bb4f571d
SHA256 f24f6fe2a459a9f1766028e1cef53182a3304240c2c2b7b475ac9d2e11813b18
SHA512 a0bed83e3d4880b0ff2321321d745c11f0e11f08a21090b6a3e0781f41ead7a2e5b4267e8e99ebed1783e294c1a7ac0b466d23841df7a673e6e97813fa1275b1

memory/2700-122-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2700-127-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2700-129-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/2700-130-0x00000000030F0000-0x0000000003123000-memory.dmp

memory/2700-131-0x00000000030F0000-0x0000000003123000-memory.dmp

memory/2700-132-0x00000000040D0000-0x0000000004109000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\iWin Games\firefox\chrome.manifest C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\maintenance.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\WebUpdater.bmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\WebUpdater.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\host.cfg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offlineBg.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\login.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline.css C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\animationBack.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\slidebackin.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\slideout.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\version C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\blank2.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\start.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\chrome\iwinarcade.jar C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\orange-im-connected-60.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\animation.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\iWinTrusted.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\arcadeCheck.js C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline_tag.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\test.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\iWinInfo.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\error.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\offline.jpg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\error404.css C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\ftdownload.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\iWinArcadeLauncher.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\firefox\install.rdf C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\blank.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\terrie404.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\button_click.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\sounds\download_completed.wav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
File created C:\Program Files (x86)\iWin Games\pages\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\iWin Games\WebInstaller.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1" C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\iWin Games\iWinGames.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinGamesHookIE.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\shell\open\command C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\shell\open\command\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinGames.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\URL Protocol C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\iWin Games\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe\" /server" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID\ = "{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinInfo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\iWin Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\iWin Games\iWinGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\iWin Games\iWinGames.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\iWin Games\iWinGames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
PID 2428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
PID 2428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
PID 2428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
PID 2428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
PID 2428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
PID 2428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\AdminWorker.exe
PID 2428 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2428 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2428 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2428 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2428 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2428 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2428 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2428 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2428 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2428 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2428 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 696 wrote to memory of 972 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 696 wrote to memory of 972 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 696 wrote to memory of 972 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 696 wrote to memory of 972 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 696 wrote to memory of 972 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 696 wrote to memory of 972 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 696 wrote to memory of 972 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2428 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe
PID 2428 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe
PID 2428 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe
PID 2428 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe
PID 2428 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinGames.exe
PID 2428 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinGames.exe
PID 2428 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinGames.exe
PID 2428 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe C:\Program Files (x86)\iWin Games\iWinGames.exe
PID 2096 wrote to memory of 2904 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2096 wrote to memory of 2904 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2096 wrote to memory of 2904 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2096 wrote to memory of 2904 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\iWinTrusted.exe
PID 2096 wrote to memory of 1596 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2096 wrote to memory of 1596 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2096 wrote to memory of 1596 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2096 wrote to memory of 1596 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2096 wrote to memory of 1596 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2096 wrote to memory of 1596 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 2096 wrote to memory of 1596 N/A C:\Program Files (x86)\iWin Games\iWinGames.exe C:\Program Files (x86)\iWin Games\WebInstaller.exe
PID 1596 wrote to memory of 1644 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1596 wrote to memory of 1644 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1596 wrote to memory of 1644 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1596 wrote to memory of 1644 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1596 wrote to memory of 1644 N/A C:\Program Files (x86)\iWin Games\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"

C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe

"C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe"

C:\Program Files (x86)\iWin Games\AdminWorker.exe

"C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions

C:\Program Files (x86)\iWin Games\AdminWorker.exe

"C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install

C:\Program Files (x86)\iWin Games\WebInstaller.exe

"C:\Program Files (x86)\iWin Games\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"

C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe

iwintoolbar.exe

C:\Program Files (x86)\iWin Games\iWinGames.exe

"C:\Program Files (x86)\iWin Games\iWinGames.exe"

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install

C:\Program Files (x86)\iWin Games\WebInstaller.exe

"C:\Program Files (x86)\iWin Games\WebInstaller.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"

C:\Program Files (x86)\iWin Games\AdminWorker.exe

"C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iwin.com udp
US 34.206.121.130:80 www.iwin.com tcp
US 34.206.121.130:443 www.iwin.com tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
FR 3.164.163.90:80 crt.rootg2.amazontrust.com tcp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
FR 18.245.196.26:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 img.iwin.com udp
FR 13.32.145.87:80 img.iwin.com tcp
US 8.8.8.8:53 update.iwin.com udp
US 8.8.8.8:53 gm.iwin.com udp
US 3.212.86.116:80 gm.iwin.com tcp
US 3.212.86.116:80 gm.iwin.com tcp
US 8.8.8.8:53 gm.iwin.com udp
US 54.145.41.76:80 gm.iwin.com tcp
US 3.212.86.116:80 gm.iwin.com tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 static.iwincdn.com udp
FR 13.32.145.79:80 static.iwincdn.com tcp
FR 13.32.145.79:80 static.iwincdn.com tcp
DE 157.240.253.1:80 connect.facebook.net tcp
GB 216.58.204.72:80 www.googletagmanager.com tcp
DE 157.240.253.1:443 connect.facebook.net tcp
US 8.8.8.8:53 download.iwincdn.com udp
FR 52.84.174.125:80 download.iwincdn.com tcp
US 3.212.86.116:80 gm.iwin.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
DE 157.240.253.1:443 connect.facebook.net tcp
US 8.8.8.8:53 ws.iwin.com udp
US 8.8.8.8:53 o.pki.goog udp
US 35.175.34.235:80 ws.iwin.com tcp
GB 142.250.178.3:80 o.pki.goog tcp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 35.175.34.235:80 ws.iwin.com tcp
FR 52.84.174.125:80 download.iwincdn.com tcp
FR 52.84.174.125:80 download.iwincdn.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst563C.tmp\System.dll

MD5 4c0c6163b636f627e0d505deda672c90
SHA1 2eae4e6f00673a03ae2434f1b22dc9218e4761a8
SHA256 bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb
SHA512 e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe

MD5 ec08c1c867ded8f5221aefb969b161c1
SHA1 839866cc28b401d1d3f0f07aa8f13803f56b496a
SHA256 f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be
SHA512 34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7

\Users\Admin\AppData\Local\Temp\nst563C.tmp\nsExec.dll

MD5 0eaa468e975017262a246e03e23b3172
SHA1 17064408bd1c2fe2a6aa8588fba7d34018f94241
SHA256 2a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6
SHA512 e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7

C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\ftdownload.dat

MD5 e45db6ebc4de21e77ddd6ac9a7735dc7
SHA1 2230443ffa9c45016b17aaaf05492e155032d8b5
SHA256 9af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9
SHA512 95078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945

C:\Users\Admin\AppData\Local\Temp\Cab678B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar679E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebcbc9461cfbf341085628de7661a102
SHA1 aa98698c2fb19f8b7fecaf2e6ac5be2660244cbf
SHA256 9aa9436847d6bdaed235f69ad32b2060b8463b764907797fde7086cebd5f28fd
SHA512 81f903a8dff4ebff19512392d3db8d52ba1389f5fa3a61a23e85a2e3b8cb1bbc02f5b224391336fc9ef7372dcc01dde1eef30734d13298b1bffe2fc3cb55fef1

C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\gametitle.txt

MD5 09413be548245a232bf1857a0c94524b
SHA1 367cae47d819a19202c30a801d05b3114f02bcb9
SHA256 cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073
SHA512 953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7

C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\tn_feat.bmp

MD5 2296dcd0b755b4583b5b527bfca0bd0e
SHA1 b96ef22a4b6d629b7f50e630b51cd9dc631750cc
SHA256 02b679743bdd60c5b3001cf1b4e515ff278cf3ad643c0076a086b7f508238800
SHA512 9b8df772d9252f876a87e4d554087019217071789d383e297a2b5eba926cda3431aa80ef757d6711b7624cb20ca52799aca1259074a24cd9958d3d38a17c865a

memory/2428-208-0x0000000002960000-0x0000000002970000-memory.dmp

\Program Files (x86)\iWin Games\iWinGames.exe

MD5 4851958fad503e3467be9b047517e4d3
SHA1 95d09a8bae10756fe41739336f5768dc14d27dd9
SHA256 2c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28
SHA512 7bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1

memory/2428-220-0x0000000004480000-0x00000000044B9000-memory.dmp

\Program Files (x86)\iWin Games\AdminWorker.exe

MD5 4c0f8f3cf26f0396ead85a2356807c3c
SHA1 ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff
SHA256 b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e
SHA512 574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240

memory/2668-223-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1140-232-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Program Files (x86)\iWin Games\iWinTrusted.exe

MD5 dc2c60e7d42d67a560918f8e497a0980
SHA1 55efe25e33e660d0284c73517a37d019777488c0
SHA256 b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f
SHA512 e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474

memory/2428-229-0x0000000004480000-0x00000000044B3000-memory.dmp

memory/2348-226-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1140-234-0x0000000000400000-0x0000000000433000-memory.dmp

\Program Files (x86)\iWin Games\WebInstaller.exe

MD5 68f57e85a24b56f8ef8147594d36cdce
SHA1 5a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053
SHA256 5c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f
SHA512 7ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042

\Program Files (x86)\iWin Games\iWinGamesHookIE.dll

MD5 f841c2d5f930cf4ae834b67a9eba5809
SHA1 50d550e3d9ea5585148f644f12e33d113dd303e8
SHA256 9b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7
SHA512 ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702

C:\Program Files (x86)\iWin Games\iWinInfo.dll

MD5 067b2c0a3d6b801fc8c9bcce8411dfd1
SHA1 ff26f2c84a6c256b2959c9482f45524a9ab06781
SHA256 1e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d
SHA512 8b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3

memory/2428-247-0x0000000004480000-0x00000000044E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst563C.tmp\IwinToolbar.exe

MD5 2977804931e9cf61cf86d1d0d0d7eb3e
SHA1 3e96c8baa8d6ebeb8deb021a453adc02b4f7a288
SHA256 c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979
SHA512 4004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14

memory/1328-253-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2096-268-0x0000000000400000-0x0000000000FCD000-memory.dmp

C:\Program Files (x86)\iWin Games\host.cfg

MD5 48219b846f8111f0064fd38788b9ab98
SHA1 542cb5f93dbf610f28d6c66fca0a49da0076d31d
SHA256 38d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de
SHA512 50ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad

memory/2096-273-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/2096-279-0x00000000042D0000-0x0000000004303000-memory.dmp

memory/2096-278-0x00000000042D0000-0x0000000004303000-memory.dmp

memory/2096-277-0x00000000042D0000-0x0000000004303000-memory.dmp

memory/2904-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2904-283-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Program Files (x86)\iWin Games\firefox\version

MD5 c314a4674d7e2d0d0df34fb27a0983d8
SHA1 56b9cdb1f345be8212ffa03722d792edf09b55fa
SHA256 2e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4
SHA512 1d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60

memory/2096-295-0x00000000048B0000-0x00000000048E9000-memory.dmp

memory/2096-294-0x00000000048B0000-0x00000000048E9000-memory.dmp

memory/2096-293-0x00000000048B0000-0x00000000048E9000-memory.dmp

memory/2992-297-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2992-299-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2616-301-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2616-303-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Program Files (x86)\iWin Games\pages\blank.html

MD5 f8ab4f67022399715ff3e862f59bd27e
SHA1 2606eca361d217990708bb1714e6de2d0bb21584
SHA256 3db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965
SHA512 9bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5

C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif

MD5 0dc284616d7449d447d4d5a9ac2a230b
SHA1 377a3077c320f639c8e58b50aab55725f2bb6e34
SHA256 1a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1
SHA512 044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9

C:\Program Files (x86)\iWin Games\pages\blank2.html

MD5 90b42fd8e93203218847a3c0a646d377
SHA1 0d485e2de867448e4853031d5714942128d92983
SHA256 aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512 de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

C:\Program Files (x86)\iWin Games\sounds\animation.wav

MD5 3ef7618619348fbbeca7b0f772be7e5c
SHA1 d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256 d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512 b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

C:\Program Files (x86)\iWin Games\sounds\start.wav

MD5 94ab5e493c7fd8358c9a893d0a108d5f
SHA1 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA256 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512 f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H22PPSSS.txt

MD5 e41ae075dad2bf2abf87a30464c7b6f9
SHA1 fecc0d941e3002e0c8c23fd1d2f30205a3bc8588
SHA256 2e053808cb86ed8bbdf19f0163c0d6e89710ab236b13ea9a6710a2cb2320c357
SHA512 70d77d051a73ba7aff31ae8d4633e2d90c4fca8c9583e732fc072fca53cfc347e5c8e9a898b3613e603aa43bbc50da99e6658675108a821b583308b291f94c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48581bafccddc044ba3f8646db127c11
SHA1 389d9d438cdd48222e4c50a6c58bfdd77546b903
SHA256 24a2345038472ee0d5ee381389052bdd4c9151451fb61588ed5c85c10f39dca2
SHA512 22683fe8eb30af96cbb691ae78c532f3a833669dee1e10e48dec9821954a967bf2c67aaf26ac84dfb331973ea53d4370d60688f1b03dfd20c39842bcf47be136

C:\Program Files (x86)\iWin Games\sounds\button_click.wav

MD5 d5c43fe0fd3f6b5c1d2d96ef21834f9d
SHA1 f8e36c4fe187396cec014bb2e733d953b3a76fdd
SHA256 ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1
SHA512 e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\polyfills[1].js

MD5 04b96b5f357a07c6675daaeffcf55074
SHA1 8ed411a804b9cdccdc12caaea070911ca324f13f
SHA256 a0757d0ce2b9c57b119aa3fc447ab0d2049d6a963c42db7c625189e5c90fed9a
SHA512 647925a5f1d7c0c0151a4ebcde56efa80e89d5632d8c371ee0b1ec807ca8d26839a8f154a716e599fe0f2ddaae7c45452e437c2fdcaa1c723078675a279453e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\core-standard[1].js

MD5 2b50ac1e90a98cdb82d4ae5becb0221c
SHA1 665df17df710296f9576bdc90b18640c28c94680
SHA256 3aa33e1c6608b54c59d8ada00e8a1b7d5c122d699ec0fc37fdd97a02d42134f5
SHA512 5370c60717ade00568ed271c3f77c02bd946686c943d9a64587bfeef0767f0c9d43babff3cd5a72976123e7e477fae91283a1799fba58481bd43f4d8d0e8f6a4

C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\file_334011000125259428757.unk

MD5 dd387b050a4bf3eae73f9741dcc91412
SHA1 8b8afc9628bdd823ae137c7ac08165ab1331a446
SHA256 0af4b1ed4f5181903476d2d3ddcdd8426f540b8ef7cf690e44c857ec5cd7bdda
SHA512 624d72050074fdee4a3c56ed5af230e3f668b83def795518813aab2df674014b35fdd2bae62239ae0ec7dade0ceedc37d4c502f18a90dcabcea473ef3ca12972

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\header[1].js

MD5 04c832663ef2c497c27975760b988a6e
SHA1 21475d2e59bfc306d5f9eb319e9c1405bb4f571d
SHA256 f24f6fe2a459a9f1766028e1cef53182a3304240c2c2b7b475ac9d2e11813b18
SHA512 a0bed83e3d4880b0ff2321321d745c11f0e11f08a21090b6a3e0781f41ead7a2e5b4267e8e99ebed1783e294c1a7ac0b466d23841df7a673e6e97813fa1275b1

C:\Program Files (x86)\iWin Games\sounds\animationBack.wav

MD5 cfc4459f1adafbe92f5c0f02c1ce07e0
SHA1 f7b308ac9c4c5e367d7d76608793115cd91e3dd7
SHA256 580121199e3e9bd286d8837c5405acbe9f041e13e956afc4f9eb60eab69fab12
SHA512 724198bf7766a8812a35a59171bf107da90ffcc0cf975af945fc8f99b674709584bdc5de96fc0892675a9bd3204d689e39f82beda0f401eaa604cca89b3e050c

memory/2096-426-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2096-428-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2096-431-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2096-433-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/2096-434-0x00000000042D0000-0x0000000004303000-memory.dmp

memory/2096-435-0x00000000042D0000-0x0000000004303000-memory.dmp

memory/2096-436-0x00000000048B0000-0x00000000048E9000-memory.dmp

memory/2096-438-0x00000000048B0000-0x00000000048E9000-memory.dmp

memory/2096-437-0x00000000048B0000-0x00000000048E9000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

101s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 22.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1868-0-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1868-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/1868-2-0x0000000000400000-0x0000000000462000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\ C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\GLBSINST.%$D C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\iWin\UNWISE.EXE C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0001.TMP C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\toolbar.cfg C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\iWinToolbarHelper.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0003.TMP C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File created C:\Program Files (x86)\Conduit\Community Alerts\~GLH0004.TMP C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File opened for modification C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File created C:\Program Files (x86)\iWin\INSTALL.LOG C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0000.TMP C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0002.TMP C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\tbiWin.dll C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\INSTALL.LOG C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = b0dad21a306bdb01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "iWin Customized Web Search" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504d8f2d306bdb01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\URL = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1678857" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042ae0f9229ffb745817ac616c09cbfe9000000000200000000001066000000010000200000003d5c7b6bc64c4a663395d65b770825afe9b5d5d04791e5b392eb9459fe7a67be000000000e8000000002000020000000a398cf8f9731a74fe784209a1cc73ce6d729e77bf42eefd9cba3d9745e87eea920000000f617f4aab5a6bd4c6cf17588ed0f49fd46d7de520014793151c6c5308b83905d4000000045e9e342e1de965d6e28f72d44692b26951a661875dcbe6782ef703364006bb33dfe79990ec5031ec8e80e1bed7b7e4712bbf0486ea7d07922c266bccc309810 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443535093" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e01000006000000010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000086250cce36da2b45acdb320d9bcb19bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\User Preferences C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} = 86250cce36da2b45acdb320d9bcb19bf C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "iWin Customized Web Search" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042ae0f9229ffb745817ac616c09cbfe90000000002000000000010660000000100002000000011df7275f6f03db7491f281376726e3d3c8ac4095c9bbc291fd8814d4740e45d000000000e8000000002000020000000366a41e0f07c07be5bf236416e9f222b8749f07802b3cfd130fdbbf10f4783ca90000000e7b7b4c3795484b9adc863925f62b175652f8aaf2f159e1066092ff4670e071084195f46d1690a0f22809c37b736c11d5e38c24ee5af04524d1e7ef2b4757e76b4c101a88078d866e64221b46167e3bb9c2d8702d53ffcf11cfb10cb18f0b487db793d203baebf0b80a3e8fdc44662dae0d5a79a27c8fa742a8572b6428b7d9f0f0a8e630510c70e19827a2ddf44941b4000000003c77cbeab82967c515d1af29677b5388dda42df29b9c53de4ab4a366bf49350543231b882461d3116ca8a2cad3ab77e44965ff1924eb26b931a238dd6a39ce3 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Search Asst = "no" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\URL = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1678857" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.conduit.com?SearchSource=10&ctid=CT1678857" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ = "Conduit Community Alerts" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ = "C:\\Program Files (x86)\\Conduit\\Community Alerts\\Alert.dll" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\ = "iWin Toolbar" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ = "C:\\Program Files (x86)\\iWin\\tbiWin.dll" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\INTERN~1\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
PID 2120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
PID 2120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
PID 2120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
PID 2120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
PID 2120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
PID 2120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
PID 788 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp C:\PROGRA~1\INTERN~1\iexplore.exe
PID 788 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp C:\PROGRA~1\INTERN~1\iexplore.exe
PID 788 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp C:\PROGRA~1\INTERN~1\iexplore.exe
PID 788 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp C:\PROGRA~1\INTERN~1\iexplore.exe
PID 2468 wrote to memory of 2644 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2644 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2644 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2644 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2644 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2644 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2644 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe"

C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp

C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$PLUGI~1\IWINTO~2.EXE

C:\PROGRA~1\INTERN~1\iexplore.exe

"C:\PROGRA~1\INTERN~1\iexplore.exe" http://iWin.OurToolbar.com/SetupFinish

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.conduit.com udp
US 8.8.8.8:53 iwin.ourtoolbar.com udp
DE 3.126.5.188:80 iwin.ourtoolbar.com tcp
DE 3.126.5.188:80 iwin.ourtoolbar.com tcp
US 8.8.8.8:53 www.ourtoolbar.com udp
US 52.216.94.18:80 www.ourtoolbar.com tcp
US 52.216.94.18:80 www.ourtoolbar.com tcp
US 8.8.8.8:53 users.conduit.com udp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 usage.users.conduit.com udp
US 66.77.197.165:80 usage.users.conduit.com tcp
US 66.77.197.165:80 usage.users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
US 66.77.197.165:80 usage.users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 92.122.218.16:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp

MD5 129809893b55085066d87b46f26c995a
SHA1 929a1826a14df6b51afa30827e6e0be812750524
SHA256 bf24083f39506d92458d4d1c3d3edf0f6fd76bc2e88f17b99d64d5f9e3da8c37
SHA512 69175e301e84cd57d19dc14386e0064372e4f62e46afe0b62cf6dfb7706d9e93fcc161b043ea6e83fc288e48f3761ad2dc8a4db21d64ea0a4d227dae4a2384a1

\Users\Admin\AppData\Local\Temp\GLCC63C.tmp

MD5 8c97d8bb1470c6498e47b12c5a03ce39
SHA1 15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7
SHA256 a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a
SHA512 7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

\PROGRA~2\iWin\UNWISE.EXE

MD5 973567b98cdfc147df4e60471d9df072
SHA1 3c4735750c99c63e6861170a8c459a608594211e
SHA256 69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876
SHA512 e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294

C:\PROGRA~2\iWin\toolbar.cfg

MD5 db5e44981103b391040809f6e80886f5
SHA1 599d026c862449e4be99efaf0d7184558ed52157
SHA256 469fa324e20c314515f4b036bce0e4ad7eb2a5efb69d0cd30b2434a8a742a5c9
SHA512 e758bd98a29f7800425a96ab64bc1959b92f4144937bfa49b47e5382ee2324adbd8e2ae7e91ac53e2827afe3dad6f6e06b33a3eb907b7f706cf95a877dd78a8b

\PROGRA~2\iWin\IWINTO~1.EXE

MD5 75568ac665c46fcbcb1516b0ee4c88f8
SHA1 347174b695105f1d64321dafc3497bf1ad4cd4e6
SHA256 693bd052006f539de10122c189642d9d2ee959d622f48c583852ce86b689f370
SHA512 ca77f8eeebc1feed53c93ad6502dd8934d0b15b570baa6df9a2eb0d7797d7416f5a3666b2be8eddae4e8c0af210ce5f57701d22dd93085bcce998831160ad1b6

\PROGRA~2\iWin\tbiWin.dll

MD5 23ae0fe0e1c5e8e9e4bfc64563db9027
SHA1 7b15b45aea509952495f03be35706d1169968fd8
SHA256 10a757922df3e3fc104538ae76fa388c3696a63f220e2c72458b85ac4a16e135
SHA512 2f32eb91285cdfda24844926d07e66c73c6fa07037bf9b27c2fdb0bf93c2b37403a89d59210e4b03f86c022de324f00d29c631afc08d7477203bedaf1db8264c

memory/788-41-0x0000000003370000-0x0000000003525000-memory.dmp

memory/788-48-0x00000000023E0000-0x0000000002457000-memory.dmp

\Program Files (x86)\Conduit\Community Alerts\Alert.dll

MD5 73f03e72aee5a85545befa0dc7a90f82
SHA1 60fac1a13b251193c01a1e17137d27edff6e7c15
SHA256 3cfcdbf44c3332c3b47b48de28c721da09f910977c771f30216551ce5982d5fd
SHA512 dd489d7b57fca25707b8577d86958414ad343e8937a92624c03c0f51a920d749fddae146274da5f698cd00ae74abe56b15f71be54d353dfbbb4151fd9130fc1f

memory/2468-56-0x00000000026D0000-0x00000000026E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9A3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA42.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29181c8921d62f45cbdc1bbdcc422fcc
SHA1 a4bf8db3e0cd139300d58fae0eee1ae5cc4accbe
SHA256 39265cafc430cc7ea9cb582ca1518b1949ae94789d4a3790eba469513d508b97
SHA512 60eb81268a0736155efdc2c6b094330a1956b3cee1f8abff1bbf962bc24a1a671d3877daf9c61a41a67f0a8485aba678eba288d6c5f2cecde244b94ae8d5881f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dede1501def90865fb068d752f843a45
SHA1 8fe1fa006de648b94e3a065e7fd4151b3285a2b8
SHA256 4479f542817f51d88cfef0a5473ccf6294f75b17288b97bbc8663413dae0e1ce
SHA512 c43b714235de68b10a4216281c4f218abc6c083576884184262d5cb82860903eee10d11f751c79f895169043ca5d1bcf9927d545b2c854a3a5eb5b10d191ef13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 469ac084ce7a38e1407244a7371bf163
SHA1 98535734395faf7ad1a81c9d38598af57cda9af8
SHA256 8c6aad0c39003736f09f2020f48e2f2724ef8a8d0823efe80168a3333af8baac
SHA512 e5a3448cf387b10b4f3ea3833ac82b4f562f1db55075b99f2a479562bc6501fcafa335d4e797922deb72ced4110bd7c594e7dfc772a3c68184fdeb0248735bbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f6f430440e04625181835c635bdc282
SHA1 5eea419c590f731de23a2d685442c51481a24714
SHA256 7647dc1e53909cbb6d799dc44049365e8da836190e4e58a04e078f41c2abc0e8
SHA512 15f3597cacc45619ee6b377e815dceb0ae9280cbdbffe40f7c6d7c9f7a7780361431157838868ccb79b644eb9d3a2409d715fe25282eb19df721492cf919b175

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85b8a14d488d7d36ab2dc6f5240a1efe
SHA1 a56d626d3861def63d08bf87ce0fad0e3fdc9f4d
SHA256 68beffe5981f5bfc0b1a14937a86ba582969897bd7aef4c545ce232aceab9396
SHA512 be186360bef20e89c157a2860a39f6d61572b9476c2835b0c7b47fbaf125f1ee9c7bf7265998fa97196cac20f1c7752a1b90c6a30f27092463c669533af0fbc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba6a5547e2cceaa93ba314e4eab2099f
SHA1 464b6520df151eaf44ce2322ab9ac162cd168c1d
SHA256 cb4acbe6d0513e31ec26991451a1d018258d0a2f5a5a7a14cf38452ce845a585
SHA512 9f3c886722fcfd6770aeab47fcf64f8863ed47c4ca6762eb81991dfb5b33a35837c45372b66ec1a93816c04cde51619413f8f407b1d11050be83827a4681e9f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10e0046f94397bf5deedd2919cdbd6bd
SHA1 9cea71600335fce77ae5ab8c91fbd02b08c7c308
SHA256 dec675fad20c19a80ee248f37116a593dd27614ae02079418b29099cc6457e26
SHA512 7c18c9a5bcec4864fe6c3b3ab5a2d6bbdf0d8161203faf527ae21ec0106918baf918a213f990f272e8c03eb9dd76105d2acfd631d3277776615eb0153c1b5ed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9f662a0539d663f94bba082d08a6da2
SHA1 bcfa4252b38e98ca45b58014facccf4a4eee7837
SHA256 255bf8d9724d5a7c94840ecb7b62ac29c53208c84bb5c374c91feefa876cd305
SHA512 13758fca3de6adee1e88ab362cf565f8e9a8c4bff1cb5a235d8bf0932d4c866bc03bc3221576ed4df580ad4fc66cc724cc8eb3af673c4cf2d8f5acb9494010da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ea6ad3f23bfff461a259ecca4a87428
SHA1 d6625a948e2c60bf75e8f86631705cc2215dd2f0
SHA256 f0b58f6000a831b6bb71ca491ab3362a2b154d8246208a85fa651bca80926f4f
SHA512 31240c1bf595892da71963709c863f85e7a88a5ca863b60e281c3c346bb1abc46cad0af8f9ad1f6ffe57e2a900f4fb638f94a26296c9bea445b06a94c4b27fbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07e668d206043b6801959eccf4535476
SHA1 07e46981272fb7d1121d900b208ee14611ac7129
SHA256 f83df3c81f5b5bce100ebac01cd4e880deb20befdc07c9c1ccb808183eb11b43
SHA512 5ea3792bbc1aae5575ae112dd21e12252de862e4d298f522edda899d0981054d6a50da1f8b4469a7a2206f4eb74af4bc519ce44a84215f61dc17940922e40b9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1559ea1727a9ae28754260f1666b27f4
SHA1 f90f0534b5cc43884e4a0898484cb44afefbcea4
SHA256 d8b5d909b8d5e440b60be0e225e7cc942bdb4234b04a6d2d1b73997fef5ba618
SHA512 a73945dda1b0847c33becc1b3a89faf1f329be897a6ac3e47168e1513e9ef7f1f88ca76d78efd5edcc63a2ca469653cd32b0ae6fd7fabf4c59019bc2d51c5bfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa53e171a085e02a7ee59e468d4ec665
SHA1 ef1157865570de13a3108f76ced6239682d41d53
SHA256 0668d1191fee722f1eda2476087409e67cc8e0d044bf0beca321a5274e3b024f
SHA512 7ecb86beb0d1ae524d8242a8f83718fa33895f6086efcd20d17e200f631000966feca55112ba350d4ad4cc83ccc9b03ee8de8870347bbd286a6fd3f8acba7860

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9fd8fd06d8cf9e06eb8829dd3a27536
SHA1 b500bd94136d25c51bf43344428693bfe11b257b
SHA256 53b1795a2d30bbf62af48c7e6ea37b93cfa3e88bd2d9cc9ea4d025c2c12a6259
SHA512 6ea8ca9c7f2648ad3ee0706cce3eb3a346228252f02ead46d948fe8d1023704fe90c8f15bfc160917e4615646a65d3c9fc8bf2be6a41dfd59c3d074b7048e42f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de406c4308e8cc4e7a7cc14f4dc21bbb
SHA1 25d597ed9011e4974ce0dbf84cc35f0436408449
SHA256 c4a013c621626a775b93c2d656545358c26d5e9ad17e1bfc9a87667958479bf6
SHA512 210c2f2963080bc2960f22142768670f9265a4f04f030c315aa74669bf3acf249c7b71706ed5f873d1fc73cdfd7c251e1ec9bd780ee1537eb86e5fedd5751482

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 629486bda57bc70a6faa8c193f700c9a
SHA1 7e3ae41a587fbe70cab4317d26a91b25dc4e3f4a
SHA256 e899e6f4f53d53388c1daaeddbdcbc5ae46acee29c5bec894534433a3e88fe0c
SHA512 26b20ad9d96a0f29fdc3a74dc1dee272a0323d2c1b55624247fe58e7391a51e02519502fca14916a614ef28d792d8198e82ecf2dc3090a79b087c02b928161b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 396083943825a01a222b1ea36511c66e
SHA1 72443ea0e35ada7cbdaa003c78bfcd7ffbb47cc0
SHA256 d46d6ad9324d30b5a277ab8778073b9babb79890ccb616c2f3d9a6ed8aed0786
SHA512 aa810552c51342273ee51df50f14d83bdd1643df10c6001c1cc64d65446c0ed296c7d3e45120e2918a6d6b6d9af920b4dc2b0282fe8a98722971d676d8d70f6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fee33ce04147dacdda6e6f19661a49e
SHA1 d3e0acb2276c507181e6308950189043d49ccea6
SHA256 209869765d775260cd0b4512f220158a7eefee37389c96e363bbbbd191b258c2
SHA512 e761eacfa8c2c85d95142e9a0282e0a120296ac61c25e4031f0bbdf7a0ecf7fa2ba2f0cb5e75b50b9fc058a6eac5b9db81bddad36a3091cb86e8e161b59359e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 5a9f40602f9eff75bab7270861c0957a
SHA1 0bca399851dd39da761554bb0a695ab709da8087
SHA256 5e61a399c9e457ec5405c5cbbc6d01f3047605a73edd8b3a3f2e0ebc12856030
SHA512 8f9a28e70161dc1a5e0f31571011af72c6ea6a4f5b616f38df1d33e098cf207377cf74bac9644d91b49d560dc46c17e649368ae79e149f95dc86d8bb6a5dc805

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70dd76187d9f489f5c01c195f39c7ced
SHA1 69debb98a5c5a866590a99bfd340d350c860eb8f
SHA256 d57c521dd418c2402260eec6e90e2c7f212162d8caf2879b161c3b8cf29ad3e1
SHA512 cd03cf5072c7768b3ccaa4e9cb5cf1c51d77d4808158baafc30724f942dfec38463c7e0b2396ac389885aa41ebc4754f724948ed407c2df0fb4b0a4070b77fd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aff0b29c18d8328a688da2d1b17b0f5f
SHA1 0b73b306e58b1edccf8673edc310e9b0360b3c6c
SHA256 bf1cfd0e3511b4f617e4916f1d7dab367826eee9692fa180905664fd67c55c61
SHA512 aaa5c316cfadf912ccf44a22595c0fa5527a809edfd583877e32c40f396001dc1abf8243b5ea41d243d3029ced5a2d22650cfdc00524032a39cd696d06611c29

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\ C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\GLBSINST.%$D C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\iWin\iWinToolbarHelper.exe C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0003.TMP C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\tbiWin.dll C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File created C:\Program Files (x86)\Conduit\Community Alerts\~GLH0004.TMP C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File opened for modification C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File created C:\Program Files (x86)\iWin\INSTALL.LOG C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\UNWISE.EXE C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0001.TMP C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\toolbar.cfg C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0002.TMP C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File opened for modification C:\Program Files (x86)\iWin\INSTALL.LOG C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
File created C:\Program Files (x86)\iWin\~GLH0000.TMP C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4095c893306bdb01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20edd693306bdb01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000426fa9e63677ad42a837377ae3de38f5000000000200000000001066000000010000200000001e5fad5f513ca864ff00210985ff6319797eabf5d99cd96537fb99bba47a474b000000000e800000000200002000000095d4efdecbd11035b478cff8cc9bbbdc8ea284aabbde2d3ec8b225c1b265d7f42000000032d312c6063f905973fb6858fea1f7af0cec43bfec6b99d3db7c5e6a41fc45c74000000022d103dead7d4cd3195f2dcdfdce557af9ba7353235cef0f2218c2c27d21a65274813e51ae97509168c6d7bdab521dfb95efd4df0dc843a69237c9ff6939e54e C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "iWin Customized Web Search" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e01000006000000010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000086250cce36da2b45acdb320d9bcb19bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000426fa9e63677ad42a837377ae3de38f5000000000200000000001066000000010000200000000739b1f61390b55c2c52ce202b1ff97e67a9bc0bdf2fcea8116c3402e2713cfe000000000e8000000002000020000000399c68c3fc03b692113c54559726908b425296aee00354d3170a73a00e4d591750000000a0786967a7b88ad8f1da69a2ffee9b134e22832de4e598516a91d8bdb82cea012e0365b009b1d4cc5781cae3e860920d82863fe7d73aa2c44590ab2453b353da84ad05e44404fefcec8922951ad7fe6d400000008a22fc8be74323a7149df7f0eb56a467acf3d76badc07c592a4f6b1bff559de2b6c0e71bdcced2f723a82b5f738f7dabb8a9d3b8c2fe6fe1db1d9f55767b71e9 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\URLSearchHooks C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ce0c2586-da36-452b-acdb-320d9bcb19bf} = "iWin Toolbar" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = d8a2561ed318db01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2451748728" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157040" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} = 86250cce36da2b45acdb320d9bcb19bf C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\User Preferences C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000426fa9e63677ad42a837377ae3de38f50000000002000000000010660000000100002000000047a4837cc97ee3a09472e26631e2aaaffa0ec25b70ed60953b4bdcde1aad18fe000000000e8000000002000020000000c96865d19e57cdd9b6b58b74213988fa67aaae686e6af05740095aef8a9c9fc510000000318ac68816288f479dd88ae18f4fb51a400000005521f8569420172b9f94ad7fd6f3e1e810a0c03ee7cd0deec1a751a2ffc294657483afbc271d48a762c6a5c639b3a9bc94d6061d87c0dcaf245b78fac0626286 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BCD1E567-D723-11EF-AF2A-D2BD7E71DA05} = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.conduit.com?SearchSource=10&ctid=CT1678857" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ = "Conduit Community Alerts" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\ = "iWin Toolbar" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ = "C:\\Program Files (x86)\\iWin\\tbiWin.dll" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ = "C:\\Program Files (x86)\\Conduit\\Community Alerts\\Alert.dll䜀" C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\INTERN~1\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp
PID 560 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp
PID 560 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp
PID 1648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp C:\PROGRA~1\INTERN~1\iexplore.exe
PID 1648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp C:\PROGRA~1\INTERN~1\iexplore.exe
PID 384 wrote to memory of 472 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 384 wrote to memory of 472 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 384 wrote to memory of 472 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 472 wrote to memory of 2804 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
PID 472 wrote to memory of 2804 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
PID 2804 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2804 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 1328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2740 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe"

C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp

C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$PLUGI~1\IWINTO~2.EXE

C:\PROGRA~1\INTERN~1\iexplore.exe

"C:\PROGRA~1\INTERN~1\iexplore.exe" http://iWin.OurToolbar.com/SetupFinish

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:384 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=80240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=80240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a2a46f8,0x7ff95a2a4708,0x7ff95a2a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16295645270528732014,8450069065203313113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16295645270528732014,8450069065203313113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16295645270528732014,8450069065203313113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 search.conduit.com udp
US 8.8.8.8:53 iwin.ourtoolbar.com udp
DE 18.185.24.46:80 iwin.ourtoolbar.com tcp
DE 18.185.24.46:80 iwin.ourtoolbar.com tcp
US 8.8.8.8:53 www.ourtoolbar.com udp
US 3.5.0.25:80 www.ourtoolbar.com tcp
US 3.5.0.25:80 www.ourtoolbar.com tcp
US 8.8.8.8:53 users.conduit.com udp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
US 8.8.8.8:53 46.24.185.18.in-addr.arpa udp
US 8.8.8.8:53 25.0.5.3.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 72.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 usage.users.conduit.com udp
GB 142.250.178.3:80 c.pki.goog tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 8.8.8.8:53 o.pki.goog udp
US 66.77.197.165:80 usage.users.conduit.com tcp
US 66.77.197.165:80 usage.users.conduit.com tcp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 239.197.79.204.in-addr.arpa udp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
N/A 224.0.0.251:5353 udp
IL 199.101.115.202:80 users.conduit.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 66.77.197.165:80 usage.users.conduit.com tcp
US 66.77.197.165:80 usage.users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
IL 199.101.115.202:80 users.conduit.com tcp
IL 199.101.115.202:80 users.conduit.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
IL 199.101.115.202:80 users.conduit.com tcp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp

MD5 129809893b55085066d87b46f26c995a
SHA1 929a1826a14df6b51afa30827e6e0be812750524
SHA256 bf24083f39506d92458d4d1c3d3edf0f6fd76bc2e88f17b99d64d5f9e3da8c37
SHA512 69175e301e84cd57d19dc14386e0064372e4f62e46afe0b62cf6dfb7706d9e93fcc161b043ea6e83fc288e48f3761ad2dc8a4db21d64ea0a4d227dae4a2384a1

C:\Users\Admin\AppData\Local\Temp\GLCBEDB.tmp

MD5 8c97d8bb1470c6498e47b12c5a03ce39
SHA1 15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7
SHA256 a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a
SHA512 7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

C:\PROGRA~2\iWin\UNWISE.EXE

MD5 973567b98cdfc147df4e60471d9df072
SHA1 3c4735750c99c63e6861170a8c459a608594211e
SHA256 69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876
SHA512 e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294

C:\PROGRA~2\iWin\toolbar.cfg

MD5 db5e44981103b391040809f6e80886f5
SHA1 599d026c862449e4be99efaf0d7184558ed52157
SHA256 469fa324e20c314515f4b036bce0e4ad7eb2a5efb69d0cd30b2434a8a742a5c9
SHA512 e758bd98a29f7800425a96ab64bc1959b92f4144937bfa49b47e5382ee2324adbd8e2ae7e91ac53e2827afe3dad6f6e06b33a3eb907b7f706cf95a877dd78a8b

C:\PROGRA~2\iWin\IWINTO~1.EXE

MD5 75568ac665c46fcbcb1516b0ee4c88f8
SHA1 347174b695105f1d64321dafc3497bf1ad4cd4e6
SHA256 693bd052006f539de10122c189642d9d2ee959d622f48c583852ce86b689f370
SHA512 ca77f8eeebc1feed53c93ad6502dd8934d0b15b570baa6df9a2eb0d7797d7416f5a3666b2be8eddae4e8c0af210ce5f57701d22dd93085bcce998831160ad1b6

C:\Program Files (x86)\iWin\tbiWin.dll

MD5 23ae0fe0e1c5e8e9e4bfc64563db9027
SHA1 7b15b45aea509952495f03be35706d1169968fd8
SHA256 10a757922df3e3fc104538ae76fa388c3696a63f220e2c72458b85ac4a16e135
SHA512 2f32eb91285cdfda24844926d07e66c73c6fa07037bf9b27c2fdb0bf93c2b37403a89d59210e4b03f86c022de324f00d29c631afc08d7477203bedaf1db8264c

memory/1648-37-0x00000000042C0000-0x0000000004475000-memory.dmp

C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll

MD5 73f03e72aee5a85545befa0dc7a90f82
SHA1 60fac1a13b251193c01a1e17137d27edff6e7c15
SHA256 3cfcdbf44c3332c3b47b48de28c721da09f910977c771f30216551ce5982d5fd
SHA512 dd489d7b57fca25707b8577d86958414ad343e8937a92624c03c0f51a920d749fddae146274da5f698cd00ae74abe56b15f71be54d353dfbbb4151fd9130fc1f

memory/1648-48-0x00000000042C0000-0x0000000004337000-memory.dmp

memory/384-58-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-68-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-67-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-66-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-69-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-76-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-77-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-82-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-85-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-87-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-86-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-81-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-79-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-75-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-74-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-73-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-71-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-65-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-64-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-63-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-62-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-61-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-88-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-92-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-91-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-60-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-57-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-97-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-98-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-94-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-99-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-100-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-101-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-106-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-116-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-118-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-121-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-119-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-117-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

memory/384-115-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

\??\pipe\LOCAL\crashpad_2740_IXNKKXLKGZCKEYYR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a02f12e01162ce60af36c1f6981ca006
SHA1 367210dddb0f51377e0fd51be5ee055bd1f5d243
SHA256 ceffed2ab7690e5e4cfe68c234c9d66ce6d35b156161197f998966258b75261d
SHA512 89b5f2aacd4b81cdea5833876d7fbaca0d7ea059af68f67bec99c60d51bf9a6ff5fc36598f92e25d037a785f1a4ce6406f8c393a6156a22f00e80e74eb350abd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 a8b8e97f35e913d8380de208cbae2610
SHA1 1ad6c0148e1a302dee28f8171835bc2e9ac81f09
SHA256 11851918cc117f9802eb386e3f018460eb49861af54c5797287bca248675bc92
SHA512 cb995c892dc668e7b8427f99e3a054218a834fd030eec1660b96a5b12c5518b1dfd8370eea5e7bf09a9dd93caf3b6fc23f6c07269071cab13ba121710f6e5f9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 c3dc3c9841c098445f32117c0513ba06
SHA1 1d6b9ee29a87d7392ab26d886809c0cd7a4eb5d0
SHA256 b505abf9699df707538aa40d0a8370dfa7845ce8ea75e3262d1dafe900bf8a27
SHA512 e8bac5368227d41162a6a85992f1754b66c44de682f2eb475d4d93ef73401c5e82dc132f97c9e6f4821c05a2e750c49edc9bc40ac1d0a6bd7e9477befcfc45b1

memory/384-168-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

memory/384-172-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EFY08QA2\v1[1].xml

MD5 25a40f949855471562a1a9e465cfed7c
SHA1 c3a563c56fb8323e6c2ee7fa417c45d8384a4156
SHA256 075f1f4ec57dcfdbb2f1b60ffbf9efe0286216c43d0a65f82eae86af66b36127
SHA512 e5b4ed8df62488e7bb9ccb77f1daac251f65cd3251257ab94094df1316fa50a96901b32e7e76e47a4616d763ae54d7134f5d29f030ee7d2399bbe728498fedd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4f9ec74dee46efcc286cd025df6e04ed
SHA1 889930b72862f5d94f08a26c06696d5da1f1e81b
SHA256 f97bf6fbb9eb5a213d10df10862a57d83547ee1d9fb923a237eea9c765fa36ab
SHA512 c268ba261fd3bf11558eee7d6357efc279947ac5c093e3af3eda0d5427438d6e6ce50a5083f724899f759f193a30b6143b34744ac2f2d61c2ddfb398a4e25b1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b2826e2857fe1e404bae12c545c0dd98
SHA1 1c1348f495510e56f5429880774eedcd7331a36d
SHA256 e08a043a87a49b52382cb7e105d11bedb31e3135a0f5a1135b0190f1f360a797
SHA512 cbd22930370bb7ac0228a16b6d80a1a942dce6d51a68f2d0f48683965835ca29f09d790abb87ba9b4f9b94af2eb2589f078d1cc6c1c4862d6c9ec7d73cba5ce2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 648d1c41ae7ea5b21bfbe9f639cecfef
SHA1 ec61d7bc8108177d37a1e35b5a022da175900b4a
SHA256 a50dd3950bbdf8592b3e56b71c3e1b426443fac5323f9b3d77eb750f707bc1ef
SHA512 139ac4b1e43eb1835c5045a1fad6bd30465073e5f3e24845ecaf58d327151ec5aaa5f70b8994ba9dc512a4e28a712a9b11603340283a2be5f283ec002078111b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 dba378d67b0b1309c2118ce68be6895f
SHA1 2afcbe6be074a946042638cb086938cd2394bae8
SHA256 d12f835f28ebab55c598f2ff3526a239ec2a5bb37664a07c3b4d3567ba2b8e66
SHA512 c347bc9a6988fdb6b45bb8e1715669ba905b313c896168795a4855e3f2d12a26c95a38d268927e797728fc309e6c43e24f91514e552cbd618f70d75aa047a054

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 0ada2095c461df5a751955aa41dd491e
SHA1 8366c54b31e1ddc8016aa22aab8c83f73c690810
SHA256 80cd542688ed3a45669b53243c3f4922d6eb21a34d8dfeebc6c101484d3bac09
SHA512 135991affe343d4358bb15a693effa7a6813d6715e555729d2aa04a98555e13fded55d3100a41a92a5beb57c68fbdacb199a3e66407944e37880b28d42d79e7c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp

Files

memory/3692-0-0x0000000000400000-0x0000000000934000-memory.dmp

memory/3692-1-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3692-2-0x0000000000400000-0x0000000000934000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20241023-en

Max time kernel

119s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwinarcade.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwinarcade.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3424 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3424 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iWinArcadeIECleanup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinArcadeAutocleanup.bat" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2884 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2884 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 4484 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 4484 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 4484 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 4484 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 4484 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 4484 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 1492 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1492 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1492 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4484 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
PID 4484 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
PID 4484 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
PID 4484 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 4484 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4484 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4484 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4484 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4484 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4484 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks

C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove

C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

C:\Users\Admin\AppData\Local\Temp\iWinGames.exe

"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 ws.iwin.com udp
US 35.175.34.235:80 ws.iwin.com tcp
US 35.175.34.235:80 ws.iwin.com tcp
US 8.8.8.8:53 235.34.175.35.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 f7eb4bc689e6cf7d36040dbe0d9331e5
SHA1 19bca2dd29fb9f54822bd2cacb68bf85063cf92a
SHA256 c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7
SHA512 062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023

memory/3956-7-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3956-8-0x0000000000570000-0x0000000000572000-memory.dmp

memory/3956-9-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4900-10-0x00000000005A0000-0x00000000005A2000-memory.dmp

memory/4900-11-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3932-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3932-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3980-15-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/3980-22-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/4876-24-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\cache.dat

MD5 05da8f0281ad5626c84a5549650d1bf3
SHA1 9e742af52e9e439f63dc7788b472c73000a1da4f
SHA256 0f8e730f1b5a750f5f42698e020b25a8291b9c7336310d0999ef0d1660434016
SHA512 7b2d26f5ff4ce2d5b880fa9027e71bfeb576086f43c85a2885515969e18ee2fe8b8602115fbd55827e2c328f5b8102f9e3f7779694bfdd09430793e67eee2ea3

C:\Users\Admin\AppData\Local\Temp\iWinGames\iWinGames.log

MD5 559051f7e1657074cfff4e63fb9087c5
SHA1 a66f00c2b1ed6ce7fe91c881815f2eb336098769
SHA256 193ef850bbe75ade2aca30633f0f353e5f3b309e48049b244deb71fb069d814b
SHA512 eee555aca6c5a48d605432b7a33b93008021df35320f8e68413964890d16259751cac1affd6721db7d09eed4613ddb5974222f80b69ec4247781b9ff1179c6dc

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe"

Network

N/A

Files

memory/2788-0-0x0000000000400000-0x0000000000934000-memory.dmp

memory/2788-1-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2788-2-0x0000000000400000-0x0000000000934000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:47

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

14s

Max time network

19s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\ = "iWinInfo Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer\ = "iWinSuppot.iWinSuppot.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID\ = "{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2748 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2748 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2748 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2748 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2748 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2748 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2748 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:48

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

142s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID\ = "{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer\ = "iWinSuppot.iWinSuppot.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\ = "iWinInfo Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\ = "iWinSuppot Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 4220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 624 wrote to memory of 4220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 624 wrote to memory of 4220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:45

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iwin.com udp
US 34.201.88.230:80 www.iwin.com tcp
US 34.201.88.230:443 www.iwin.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 230.88.201.34.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 109.193.84.52.in-addr.arpa udp
US 8.8.8.8:53 218.158.40.23.in-addr.arpa udp
FR 18.245.196.26:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.196.245.18.in-addr.arpa udp
US 8.8.8.8:53 img.iwin.com udp
FR 13.32.145.87:80 img.iwin.com tcp
US 8.8.8.8:53 87.145.32.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-20 11:40

Reported

2025-01-20 11:42

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iWinArcadeIECleanup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinArcadeAutocleanup.bat" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iWinGames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2856 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2856 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2856 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2640 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2640 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2640 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
PID 2640 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2640 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2640 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2640 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2640 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2640 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2640 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2668 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
PID 2640 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
PID 2640 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
PID 2640 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
PID 2640 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
PID 2640 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks

C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe

"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove

C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

C:\Users\Admin\AppData\Local\Temp\iWinGames.exe

"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0

C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe

"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ws.iwin.com udp
US 3.212.86.116:80 ws.iwin.com tcp
US 3.212.86.116:80 ws.iwin.com tcp

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 f7eb4bc689e6cf7d36040dbe0d9331e5
SHA1 19bca2dd29fb9f54822bd2cacb68bf85063cf92a
SHA256 c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7
SHA512 062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023

memory/2704-10-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2640-9-0x0000000002B80000-0x0000000002BB9000-memory.dmp

memory/2704-11-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2704-12-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2852-13-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2640-14-0x0000000002B80000-0x0000000002BB3000-memory.dmp

memory/2684-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2640-17-0x0000000005360000-0x0000000005F2D000-memory.dmp

memory/2740-18-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2740-26-0x0000000000400000-0x0000000000FCD000-memory.dmp

memory/2540-28-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2640-27-0x0000000002B80000-0x0000000002BB9000-memory.dmp

memory/2540-30-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\cache.dat

MD5 7bcfdf4ff2fd7e9f38e4e836ce443378
SHA1 aee14127fd409c3de064e5bb65ed057dca3cb4f7
SHA256 428deca3f08767b4091b1839cd2d84dc827d569e244f8a3cec2817ffbef46a71
SHA512 8c883692d453708b02e087330630f6d1f14f9a282cc905211a836071e4c095b819ccaac0fac951b74e13f116ab575ed9c78ea58de04915639db2c915b028bf32

C:\Users\Admin\AppData\Local\Temp\iWinGames\iWinGames.log

MD5 e661e214e2e3a4b34534087af7a157c8
SHA1 9d9da4838515c6e65bd0300baefbdae80a3b58e2
SHA256 97c0d116d0ea2783b20b8bd29464f13bd6cb3c4f1e6c85b946089db5316e6bcc
SHA512 210aabddb0fbbc86037863cb552fa55608f20cedf2ae40408bc2ade58e127b1975e0e198668434f9ebbfab5102403e2e862549cd86f9dc3d9f48045717bf6943