Analysis Overview
SHA256
672d70ad03e526910432bcc74c21e184b33b1bedd80c6a29223f4e52175b78f1
Threat Level: Shows suspicious behavior
The file JaffaCakes118_e60156f6d9a9642465da11d0915b43ad was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Deletes itself
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Program Files directory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
Browser Information Discovery
NSIS installer
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies registry class
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Modifies Internet Explorer start page
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-20 11:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral17
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1692 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1692 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1692 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1692 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1692 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1692 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1692 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:48
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinTrusted.exe\" /server" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinTrusted.exe" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" StartProcessNoWait "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" "-install"
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x494
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.iwin.com | udp |
| US | 52.22.60.172:80 | update.iwin.com | tcp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.60.22.52.in-addr.arpa | udp |
| US | 52.22.60.172:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 3.212.86.116:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.86.212.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.89.16.2.in-addr.arpa | udp |
Files
memory/3172-0-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/3172-1-0x0000000000FD0000-0x0000000000FD2000-memory.dmp
memory/4584-2-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4584-3-0x0000000000590000-0x0000000000592000-memory.dmp
memory/4584-5-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4968-6-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4968-10-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3960-12-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3172-16-0x0000000000FD0000-0x0000000000FD2000-memory.dmp
memory/3172-17-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/3172-23-0x0000000000400000-0x0000000000FCD000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:48
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3640 wrote to memory of 856 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3640 wrote to memory of 856 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3640 wrote to memory of 856 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.218.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Program Files (x86)\\iWin Games\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinInfo.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iwin | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\iWin Games\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe\" /server" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe
"C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe"
C:\Program Files (x86)\iWin Games\AdminWorker.exe
"C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions
C:\Program Files (x86)\iWin Games\AdminWorker.exe
"C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
C:\Program Files (x86)\iWin Games\WebInstaller.exe
"C:\Program Files (x86)\iWin Games\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exe
iwintoolbar.exe
C:\Program Files (x86)\iWin Games\iWinGames.exe
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
C:\Program Files (x86)\iWin Games\WebInstaller.exe
"C:\Program Files (x86)\iWin Games\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
C:\Program Files (x86)\iWin Games\AdminWorker.exe
"C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x518
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.iwin.com | udp |
| US | 34.206.121.130:80 | www.iwin.com | tcp |
| US | 34.206.121.130:443 | www.iwin.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| FR | 3.162.33.170:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | img.iwin.com | udp |
| US | 8.8.8.8:53 | 130.121.206.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.193.84.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.33.162.3.in-addr.arpa | udp |
| FR | 13.32.145.54:80 | img.iwin.com | tcp |
| US | 8.8.8.8:53 | 54.145.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.iwin.com | udp |
| US | 54.145.41.76:80 | update.iwin.com | tcp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 54.145.41.76:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | 76.41.145.54.in-addr.arpa | udp |
| US | 54.145.41.76:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 54.145.41.76:80 | gm.iwin.com | tcp |
| US | 52.22.60.172:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | 172.60.22.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\System.dll
| MD5 | 4c0c6163b636f627e0d505deda672c90 |
| SHA1 | 2eae4e6f00673a03ae2434f1b22dc9218e4761a8 |
| SHA256 | bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb |
| SHA512 | e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef |
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\nsExec.dll
| MD5 | 0eaa468e975017262a246e03e23b3172 |
| SHA1 | 17064408bd1c2fe2a6aa8588fba7d34018f94241 |
| SHA256 | 2a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6 |
| SHA512 | e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7 |
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe
| MD5 | ec08c1c867ded8f5221aefb969b161c1 |
| SHA1 | 839866cc28b401d1d3f0f07aa8f13803f56b496a |
| SHA256 | f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be |
| SHA512 | 34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7 |
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\ftdownload.dat
| MD5 | e45db6ebc4de21e77ddd6ac9a7735dc7 |
| SHA1 | 2230443ffa9c45016b17aaaf05492e155032d8b5 |
| SHA256 | 9af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9 |
| SHA512 | 95078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945 |
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\gametitle.txt
| MD5 | 09413be548245a232bf1857a0c94524b |
| SHA1 | 367cae47d819a19202c30a801d05b3114f02bcb9 |
| SHA256 | cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073 |
| SHA512 | 953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7 |
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\tn_feat.bmp
| MD5 | 1da2c13d7f658d4dbda4cd08933cba0d |
| SHA1 | 55447016919661e7f86dee62f620a3640dcf31c0 |
| SHA256 | 61ba87f145a9edd68a2d6a7f1f8b840f992f00827bb7a8f86aad728d7d8969c4 |
| SHA512 | 9c770ac6757904d6c81e7f6cc18f97acb3ed4379975b6981744b339b959ab906699a4f53c4d5300047abfda333b6cbda48c884da76dae8cd4d3b93415686f05d |
C:\Program Files (x86)\iWin Games\iWinGames.exe
| MD5 | 4851958fad503e3467be9b047517e4d3 |
| SHA1 | 95d09a8bae10756fe41739336f5768dc14d27dd9 |
| SHA256 | 2c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28 |
| SHA512 | 7bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1 |
C:\Program Files (x86)\iWin Games\AdminWorker.exe
| MD5 | 4c0f8f3cf26f0396ead85a2356807c3c |
| SHA1 | ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff |
| SHA256 | b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e |
| SHA512 | 574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240 |
memory/3672-84-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3672-86-0x0000000000490000-0x0000000000492000-memory.dmp
C:\Program Files (x86)\iWin Games\WebUpdater.exe
| MD5 | 3287302f72a0011d9460da21c7b37ae1 |
| SHA1 | e7430de4d6a8bbd2b79a80ec75b09240aef74cae |
| SHA256 | dca222382828a4e2a3c9dbe03dc637b704ea3b9e078595e3e18980a1fe3daa23 |
| SHA512 | 835b401a6952ba9d176fa531bd250925488b0464e64627003dbd0f791fe77b3951909296ebfb702e8d3ca045f801c98db043446d49642d77fb21d11fa5b0811d |
memory/3672-89-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2244-91-0x00000000005B0000-0x00000000005B2000-memory.dmp
memory/2244-93-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
| MD5 | dc2c60e7d42d67a560918f8e497a0980 |
| SHA1 | 55efe25e33e660d0284c73517a37d019777488c0 |
| SHA256 | b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f |
| SHA512 | e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474 |
memory/3228-96-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3228-98-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Program Files (x86)\iWin Games\WebInstaller.exe
| MD5 | 68f57e85a24b56f8ef8147594d36cdce |
| SHA1 | 5a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053 |
| SHA256 | 5c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f |
| SHA512 | 7ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042 |
C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll
| MD5 | f841c2d5f930cf4ae834b67a9eba5809 |
| SHA1 | 50d550e3d9ea5585148f644f12e33d113dd303e8 |
| SHA256 | 9b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7 |
| SHA512 | ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702 |
C:\Program Files (x86)\iWin Games\iWinInfo.dll
| MD5 | 067b2c0a3d6b801fc8c9bcce8411dfd1 |
| SHA1 | ff26f2c84a6c256b2959c9482f45524a9ab06781 |
| SHA256 | 1e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d |
| SHA512 | 8b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3 |
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\IwinToolbar.exe
| MD5 | 2977804931e9cf61cf86d1d0d0d7eb3e |
| SHA1 | 3e96c8baa8d6ebeb8deb021a453adc02b4f7a288 |
| SHA256 | c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979 |
| SHA512 | 4004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14 |
memory/1772-111-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1772-112-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4352-120-0x0000000000400000-0x0000000000FCD000-memory.dmp
C:\Program Files (x86)\iWin Games\host.cfg
| MD5 | 48219b846f8111f0064fd38788b9ab98 |
| SHA1 | 542cb5f93dbf610f28d6c66fca0a49da0076d31d |
| SHA256 | 38d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de |
| SHA512 | 50ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad |
C:\Program Files (x86)\iWin Games\firefox\version
| MD5 | c314a4674d7e2d0d0df34fb27a0983d8 |
| SHA1 | 56b9cdb1f345be8212ffa03722d792edf09b55fa |
| SHA256 | 2e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4 |
| SHA512 | 1d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60 |
memory/3484-127-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3484-130-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4484-135-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4200-136-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4200-138-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Program Files (x86)\iWin Games\pages\blank.html
| MD5 | f8ab4f67022399715ff3e862f59bd27e |
| SHA1 | 2606eca361d217990708bb1714e6de2d0bb21584 |
| SHA256 | 3db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965 |
| SHA512 | 9bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5 |
C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif
| MD5 | 0dc284616d7449d447d4d5a9ac2a230b |
| SHA1 | 377a3077c320f639c8e58b50aab55725f2bb6e34 |
| SHA256 | 1a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1 |
| SHA512 | 044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9 |
C:\Program Files (x86)\iWin Games\pages\blank2.html
| MD5 | 90b42fd8e93203218847a3c0a646d377 |
| SHA1 | 0d485e2de867448e4853031d5714942128d92983 |
| SHA256 | aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f |
| SHA512 | de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab |
C:\Program Files (x86)\iWin Games\sounds\animation.wav
| MD5 | 3ef7618619348fbbeca7b0f772be7e5c |
| SHA1 | d86829f29c8f22c2d3562269b3d2f0c3b822ad0c |
| SHA256 | d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872 |
| SHA512 | b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376 |
C:\Program Files (x86)\iWin Games\sounds\start.wav
| MD5 | 94ab5e493c7fd8358c9a893d0a108d5f |
| SHA1 | 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173 |
| SHA256 | 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a |
| SHA512 | f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164 |
memory/4352-153-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/4352-159-0x0000000000400000-0x0000000000FCD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.iwin.com | udp |
| US | 18.210.70.237:80 | www.iwin.com | tcp |
| US | 18.210.70.237:443 | www.iwin.com | tcp |
| US | 8.8.8.8:53 | crt.rootg2.amazontrust.com | udp |
| FR | 3.164.163.127:80 | crt.rootg2.amazontrust.com | tcp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| FR | 18.245.196.26:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | img.iwin.com | udp |
| FR | 13.32.145.87:80 | img.iwin.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| FR | 92.122.218.16:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 23.57.4.240:80 | www.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabAFA2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarAFC4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 602251d3109a9d5051c3eca81b64c50d |
| SHA1 | cfeffa97d51d8094e7a2cf6c73b2a013c5694723 |
| SHA256 | 6ceec25c5ab42306037835493b492cabcfe28f4af45e5b8fce09410ddbb0dc7a |
| SHA512 | fd669209685fd6b3e6b2bc11cc91a7688cf8912374027930ecb07b2d3e118169a36fc529e53b6b5527d803112d676ee21a135b5aa92b36528de6a139ce026b46 |
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20241010-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe"
Network
Files
memory/1156-1-0x0000000000020000-0x0000000000022000-memory.dmp
memory/1156-0-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1156-2-0x0000000000400000-0x0000000000462000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240708-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 224
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240729-en
Max time kernel
63s
Max time network
20s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"
Network
Files
memory/1172-0-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1172-1-0x00000000002B0000-0x00000000002B2000-memory.dmp
memory/1172-2-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwa-ovr.js
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:46
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwa-ovr.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
156s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2716 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2716 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2716 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2296 wrote to memory of 372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2296 wrote to memory of 372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2296 wrote to memory of 372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2296 wrote to memory of 372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2296 wrote to memory of 372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2296 wrote to memory of 372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2296 wrote to memory of 372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.218.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.89.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4768-0-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4768-1-0x00000000006F0000-0x00000000006F2000-memory.dmp
memory/4768-3-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwinarcade.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.89.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20241010-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1" | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" StartProcessNoWait "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" "-install"
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.iwin.com | udp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 54.145.41.76:80 | gm.iwin.com | tcp |
| US | 54.145.41.76:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 3.212.86.116:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | static.iwincdn.com | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| FR | 13.32.145.79:80 | static.iwincdn.com | tcp |
| FR | 13.32.145.79:80 | static.iwincdn.com | tcp |
| GB | 216.58.204.72:80 | www.googletagmanager.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| DE | 157.240.253.1:80 | connect.facebook.net | tcp |
| DE | 157.240.253.1:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 23.57.4.240:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.146:80 | crl.microsoft.com | tcp |
Files
memory/2700-0-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2700-1-0x0000000000230000-0x0000000000232000-memory.dmp
memory/2700-2-0x0000000002B40000-0x0000000002B50000-memory.dmp
memory/2700-3-0x00000000030F0000-0x0000000003123000-memory.dmp
memory/2700-4-0x00000000030F0000-0x0000000003123000-memory.dmp
memory/2700-5-0x00000000030F0000-0x0000000003123000-memory.dmp
memory/2792-6-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2792-7-0x0000000000230000-0x0000000000232000-memory.dmp
memory/2792-9-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2700-10-0x00000000040D0000-0x0000000004109000-memory.dmp
memory/2700-11-0x00000000040D0000-0x0000000004109000-memory.dmp
memory/2868-12-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2868-14-0x0000000000400000-0x0000000000439000-memory.dmp
memory/468-15-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\1356VOHZ.htm
| MD5 | dd387b050a4bf3eae73f9741dcc91412 |
| SHA1 | 8b8afc9628bdd823ae137c7ac08165ab1331a446 |
| SHA256 | 0af4b1ed4f5181903476d2d3ddcdd8426f540b8ef7cf690e44c857ec5cd7bdda |
| SHA512 | 624d72050074fdee4a3c56ed5af230e3f668b83def795518813aab2df674014b35fdd2bae62239ae0ec7dade0ceedc37d4c502f18a90dcabcea473ef3ca12972 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\polyfills[1].js
| MD5 | 04b96b5f357a07c6675daaeffcf55074 |
| SHA1 | 8ed411a804b9cdccdc12caaea070911ca324f13f |
| SHA256 | a0757d0ce2b9c57b119aa3fc447ab0d2049d6a963c42db7c625189e5c90fed9a |
| SHA512 | 647925a5f1d7c0c0151a4ebcde56efa80e89d5632d8c371ee0b1ec807ca8d26839a8f154a716e599fe0f2ddaae7c45452e437c2fdcaa1c723078675a279453e2 |
C:\Users\Admin\AppData\Local\Temp\Cab540B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar54E9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\core-standard[1].js
| MD5 | 2b50ac1e90a98cdb82d4ae5becb0221c |
| SHA1 | 665df17df710296f9576bdc90b18640c28c94680 |
| SHA256 | 3aa33e1c6608b54c59d8ada00e8a1b7d5c122d699ec0fc37fdd97a02d42134f5 |
| SHA512 | 5370c60717ade00568ed271c3f77c02bd946686c943d9a64587bfeef0767f0c9d43babff3cd5a72976123e7e477fae91283a1799fba58481bd43f4d8d0e8f6a4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\header[1].js
| MD5 | 04c832663ef2c497c27975760b988a6e |
| SHA1 | 21475d2e59bfc306d5f9eb319e9c1405bb4f571d |
| SHA256 | f24f6fe2a459a9f1766028e1cef53182a3304240c2c2b7b475ac9d2e11813b18 |
| SHA512 | a0bed83e3d4880b0ff2321321d745c11f0e11f08a21090b6a3e0781f41ead7a2e5b4267e8e99ebed1783e294c1a7ac0b466d23841df7a673e6e97813fa1275b1 |
memory/2700-122-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2700-127-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2700-129-0x0000000002B40000-0x0000000002B50000-memory.dmp
memory/2700-130-0x00000000030F0000-0x0000000003123000-memory.dmp
memory/2700-131-0x00000000030F0000-0x0000000003123000-memory.dmp
memory/2700-132-0x00000000040D0000-0x0000000004109000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\iWin Games\WebInstaller.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinGamesHookIE.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\shell\open\command | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\shell\open\command\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinGames.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iwin\URL Protocol | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\iWin Games\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe\" /server" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID\ = "{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinInfo.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 | C:\Program Files (x86)\iWin Games\iWinTrusted.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\iWin Games\iWinGames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
"C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe"
C:\Program Files (x86)\iWin Games\AdminWorker.exe
"C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions
C:\Program Files (x86)\iWin Games\AdminWorker.exe
"C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
C:\Program Files (x86)\iWin Games\WebInstaller.exe
"C:\Program Files (x86)\iWin Games\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe
iwintoolbar.exe
C:\Program Files (x86)\iWin Games\iWinGames.exe
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
C:\Program Files (x86)\iWin Games\WebInstaller.exe
"C:\Program Files (x86)\iWin Games\WebInstaller.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
C:\Program Files (x86)\iWin Games\AdminWorker.exe
"C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.iwin.com | udp |
| US | 34.206.121.130:80 | www.iwin.com | tcp |
| US | 34.206.121.130:443 | www.iwin.com | tcp |
| US | 8.8.8.8:53 | crt.rootg2.amazontrust.com | udp |
| FR | 3.164.163.90:80 | crt.rootg2.amazontrust.com | tcp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| FR | 18.245.196.26:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | img.iwin.com | udp |
| FR | 13.32.145.87:80 | img.iwin.com | tcp |
| US | 8.8.8.8:53 | update.iwin.com | udp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 3.212.86.116:80 | gm.iwin.com | tcp |
| US | 3.212.86.116:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | gm.iwin.com | udp |
| US | 54.145.41.76:80 | gm.iwin.com | tcp |
| US | 3.212.86.116:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | static.iwincdn.com | udp |
| FR | 13.32.145.79:80 | static.iwincdn.com | tcp |
| FR | 13.32.145.79:80 | static.iwincdn.com | tcp |
| DE | 157.240.253.1:80 | connect.facebook.net | tcp |
| GB | 216.58.204.72:80 | www.googletagmanager.com | tcp |
| DE | 157.240.253.1:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | download.iwincdn.com | udp |
| FR | 52.84.174.125:80 | download.iwincdn.com | tcp |
| US | 3.212.86.116:80 | gm.iwin.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| DE | 157.240.253.1:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | ws.iwin.com | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 35.175.34.235:80 | ws.iwin.com | tcp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 35.175.34.235:80 | ws.iwin.com | tcp |
| FR | 52.84.174.125:80 | download.iwincdn.com | tcp |
| FR | 52.84.174.125:80 | download.iwincdn.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst563C.tmp\System.dll
| MD5 | 4c0c6163b636f627e0d505deda672c90 |
| SHA1 | 2eae4e6f00673a03ae2434f1b22dc9218e4761a8 |
| SHA256 | bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb |
| SHA512 | e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef |
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
| MD5 | ec08c1c867ded8f5221aefb969b161c1 |
| SHA1 | 839866cc28b401d1d3f0f07aa8f13803f56b496a |
| SHA256 | f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be |
| SHA512 | 34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7 |
\Users\Admin\AppData\Local\Temp\nst563C.tmp\nsExec.dll
| MD5 | 0eaa468e975017262a246e03e23b3172 |
| SHA1 | 17064408bd1c2fe2a6aa8588fba7d34018f94241 |
| SHA256 | 2a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6 |
| SHA512 | e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7 |
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\ftdownload.dat
| MD5 | e45db6ebc4de21e77ddd6ac9a7735dc7 |
| SHA1 | 2230443ffa9c45016b17aaaf05492e155032d8b5 |
| SHA256 | 9af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9 |
| SHA512 | 95078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945 |
C:\Users\Admin\AppData\Local\Temp\Cab678B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar679E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ebcbc9461cfbf341085628de7661a102 |
| SHA1 | aa98698c2fb19f8b7fecaf2e6ac5be2660244cbf |
| SHA256 | 9aa9436847d6bdaed235f69ad32b2060b8463b764907797fde7086cebd5f28fd |
| SHA512 | 81f903a8dff4ebff19512392d3db8d52ba1389f5fa3a61a23e85a2e3b8cb1bbc02f5b224391336fc9ef7372dcc01dde1eef30734d13298b1bffe2fc3cb55fef1 |
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\gametitle.txt
| MD5 | 09413be548245a232bf1857a0c94524b |
| SHA1 | 367cae47d819a19202c30a801d05b3114f02bcb9 |
| SHA256 | cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073 |
| SHA512 | 953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7 |
C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\tn_feat.bmp
| MD5 | 2296dcd0b755b4583b5b527bfca0bd0e |
| SHA1 | b96ef22a4b6d629b7f50e630b51cd9dc631750cc |
| SHA256 | 02b679743bdd60c5b3001cf1b4e515ff278cf3ad643c0076a086b7f508238800 |
| SHA512 | 9b8df772d9252f876a87e4d554087019217071789d383e297a2b5eba926cda3431aa80ef757d6711b7624cb20ca52799aca1259074a24cd9958d3d38a17c865a |
memory/2428-208-0x0000000002960000-0x0000000002970000-memory.dmp
\Program Files (x86)\iWin Games\iWinGames.exe
| MD5 | 4851958fad503e3467be9b047517e4d3 |
| SHA1 | 95d09a8bae10756fe41739336f5768dc14d27dd9 |
| SHA256 | 2c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28 |
| SHA512 | 7bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1 |
memory/2428-220-0x0000000004480000-0x00000000044B9000-memory.dmp
\Program Files (x86)\iWin Games\AdminWorker.exe
| MD5 | 4c0f8f3cf26f0396ead85a2356807c3c |
| SHA1 | ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff |
| SHA256 | b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e |
| SHA512 | 574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240 |
memory/2668-223-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1140-232-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
| MD5 | dc2c60e7d42d67a560918f8e497a0980 |
| SHA1 | 55efe25e33e660d0284c73517a37d019777488c0 |
| SHA256 | b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f |
| SHA512 | e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474 |
memory/2428-229-0x0000000004480000-0x00000000044B3000-memory.dmp
memory/2348-226-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1140-234-0x0000000000400000-0x0000000000433000-memory.dmp
\Program Files (x86)\iWin Games\WebInstaller.exe
| MD5 | 68f57e85a24b56f8ef8147594d36cdce |
| SHA1 | 5a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053 |
| SHA256 | 5c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f |
| SHA512 | 7ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042 |
\Program Files (x86)\iWin Games\iWinGamesHookIE.dll
| MD5 | f841c2d5f930cf4ae834b67a9eba5809 |
| SHA1 | 50d550e3d9ea5585148f644f12e33d113dd303e8 |
| SHA256 | 9b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7 |
| SHA512 | ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702 |
C:\Program Files (x86)\iWin Games\iWinInfo.dll
| MD5 | 067b2c0a3d6b801fc8c9bcce8411dfd1 |
| SHA1 | ff26f2c84a6c256b2959c9482f45524a9ab06781 |
| SHA256 | 1e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d |
| SHA512 | 8b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3 |
memory/2428-247-0x0000000004480000-0x00000000044E2000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst563C.tmp\IwinToolbar.exe
| MD5 | 2977804931e9cf61cf86d1d0d0d7eb3e |
| SHA1 | 3e96c8baa8d6ebeb8deb021a453adc02b4f7a288 |
| SHA256 | c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979 |
| SHA512 | 4004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14 |
memory/1328-253-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2096-268-0x0000000000400000-0x0000000000FCD000-memory.dmp
C:\Program Files (x86)\iWin Games\host.cfg
| MD5 | 48219b846f8111f0064fd38788b9ab98 |
| SHA1 | 542cb5f93dbf610f28d6c66fca0a49da0076d31d |
| SHA256 | 38d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de |
| SHA512 | 50ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad |
memory/2096-273-0x0000000002CF0000-0x0000000002D00000-memory.dmp
memory/2096-279-0x00000000042D0000-0x0000000004303000-memory.dmp
memory/2096-278-0x00000000042D0000-0x0000000004303000-memory.dmp
memory/2096-277-0x00000000042D0000-0x0000000004303000-memory.dmp
memory/2904-287-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2904-283-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Program Files (x86)\iWin Games\firefox\version
| MD5 | c314a4674d7e2d0d0df34fb27a0983d8 |
| SHA1 | 56b9cdb1f345be8212ffa03722d792edf09b55fa |
| SHA256 | 2e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4 |
| SHA512 | 1d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60 |
memory/2096-295-0x00000000048B0000-0x00000000048E9000-memory.dmp
memory/2096-294-0x00000000048B0000-0x00000000048E9000-memory.dmp
memory/2096-293-0x00000000048B0000-0x00000000048E9000-memory.dmp
memory/2992-297-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2992-299-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2616-301-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2616-303-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Program Files (x86)\iWin Games\pages\blank.html
| MD5 | f8ab4f67022399715ff3e862f59bd27e |
| SHA1 | 2606eca361d217990708bb1714e6de2d0bb21584 |
| SHA256 | 3db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965 |
| SHA512 | 9bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5 |
C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif
| MD5 | 0dc284616d7449d447d4d5a9ac2a230b |
| SHA1 | 377a3077c320f639c8e58b50aab55725f2bb6e34 |
| SHA256 | 1a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1 |
| SHA512 | 044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9 |
C:\Program Files (x86)\iWin Games\pages\blank2.html
| MD5 | 90b42fd8e93203218847a3c0a646d377 |
| SHA1 | 0d485e2de867448e4853031d5714942128d92983 |
| SHA256 | aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f |
| SHA512 | de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab |
C:\Program Files (x86)\iWin Games\sounds\animation.wav
| MD5 | 3ef7618619348fbbeca7b0f772be7e5c |
| SHA1 | d86829f29c8f22c2d3562269b3d2f0c3b822ad0c |
| SHA256 | d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872 |
| SHA512 | b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376 |
C:\Program Files (x86)\iWin Games\sounds\start.wav
| MD5 | 94ab5e493c7fd8358c9a893d0a108d5f |
| SHA1 | 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173 |
| SHA256 | 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a |
| SHA512 | f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H22PPSSS.txt
| MD5 | e41ae075dad2bf2abf87a30464c7b6f9 |
| SHA1 | fecc0d941e3002e0c8c23fd1d2f30205a3bc8588 |
| SHA256 | 2e053808cb86ed8bbdf19f0163c0d6e89710ab236b13ea9a6710a2cb2320c357 |
| SHA512 | 70d77d051a73ba7aff31ae8d4633e2d90c4fca8c9583e732fc072fca53cfc347e5c8e9a898b3613e603aa43bbc50da99e6658675108a821b583308b291f94c96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48581bafccddc044ba3f8646db127c11 |
| SHA1 | 389d9d438cdd48222e4c50a6c58bfdd77546b903 |
| SHA256 | 24a2345038472ee0d5ee381389052bdd4c9151451fb61588ed5c85c10f39dca2 |
| SHA512 | 22683fe8eb30af96cbb691ae78c532f3a833669dee1e10e48dec9821954a967bf2c67aaf26ac84dfb331973ea53d4370d60688f1b03dfd20c39842bcf47be136 |
C:\Program Files (x86)\iWin Games\sounds\button_click.wav
| MD5 | d5c43fe0fd3f6b5c1d2d96ef21834f9d |
| SHA1 | f8e36c4fe187396cec014bb2e733d953b3a76fdd |
| SHA256 | ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1 |
| SHA512 | e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\polyfills[1].js
| MD5 | 04b96b5f357a07c6675daaeffcf55074 |
| SHA1 | 8ed411a804b9cdccdc12caaea070911ca324f13f |
| SHA256 | a0757d0ce2b9c57b119aa3fc447ab0d2049d6a963c42db7c625189e5c90fed9a |
| SHA512 | 647925a5f1d7c0c0151a4ebcde56efa80e89d5632d8c371ee0b1ec807ca8d26839a8f154a716e599fe0f2ddaae7c45452e437c2fdcaa1c723078675a279453e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\core-standard[1].js
| MD5 | 2b50ac1e90a98cdb82d4ae5becb0221c |
| SHA1 | 665df17df710296f9576bdc90b18640c28c94680 |
| SHA256 | 3aa33e1c6608b54c59d8ada00e8a1b7d5c122d699ec0fc37fdd97a02d42134f5 |
| SHA512 | 5370c60717ade00568ed271c3f77c02bd946686c943d9a64587bfeef0767f0c9d43babff3cd5a72976123e7e477fae91283a1799fba58481bd43f4d8d0e8f6a4 |
C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\file_334011000125259428757.unk
| MD5 | dd387b050a4bf3eae73f9741dcc91412 |
| SHA1 | 8b8afc9628bdd823ae137c7ac08165ab1331a446 |
| SHA256 | 0af4b1ed4f5181903476d2d3ddcdd8426f540b8ef7cf690e44c857ec5cd7bdda |
| SHA512 | 624d72050074fdee4a3c56ed5af230e3f668b83def795518813aab2df674014b35fdd2bae62239ae0ec7dade0ceedc37d4c502f18a90dcabcea473ef3ca12972 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\header[1].js
| MD5 | 04c832663ef2c497c27975760b988a6e |
| SHA1 | 21475d2e59bfc306d5f9eb319e9c1405bb4f571d |
| SHA256 | f24f6fe2a459a9f1766028e1cef53182a3304240c2c2b7b475ac9d2e11813b18 |
| SHA512 | a0bed83e3d4880b0ff2321321d745c11f0e11f08a21090b6a3e0781f41ead7a2e5b4267e8e99ebed1783e294c1a7ac0b466d23841df7a673e6e97813fa1275b1 |
C:\Program Files (x86)\iWin Games\sounds\animationBack.wav
| MD5 | cfc4459f1adafbe92f5c0f02c1ce07e0 |
| SHA1 | f7b308ac9c4c5e367d7d76608793115cd91e3dd7 |
| SHA256 | 580121199e3e9bd286d8837c5405acbe9f041e13e956afc4f9eb60eab69fab12 |
| SHA512 | 724198bf7766a8812a35a59171bf107da90ffcc0cf975af945fc8f99b674709584bdc5de96fc0892675a9bd3204d689e39f82beda0f401eaa604cca89b3e050c |
memory/2096-426-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2096-428-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2096-431-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2096-433-0x0000000002CF0000-0x0000000002D00000-memory.dmp
memory/2096-434-0x00000000042D0000-0x0000000004303000-memory.dmp
memory/2096-435-0x00000000042D0000-0x0000000004303000-memory.dmp
memory/2096-436-0x00000000048B0000-0x00000000048E9000-memory.dmp
memory/2096-438-0x00000000048B0000-0x00000000048E9000-memory.dmp
memory/2096-437-0x00000000048B0000-0x00000000048E9000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
101s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IwinToolbar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.89.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/1868-0-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1868-1-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/1868-2-0x0000000000400000-0x0000000000462000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1852 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1852 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1852 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2456 -ip 2456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
147s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\ | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\GLBSINST.%$D | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\iWin\UNWISE.EXE | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0001.TMP | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\toolbar.cfg | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\iWinToolbarHelper.exe | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0003.TMP | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File created | C:\Program Files (x86)\Conduit\Community Alerts\~GLH0004.TMP | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\INSTALL.LOG | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0000.TMP | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0002.TMP | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\tbiWin.dll | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\INSTALL.LOG | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = b0dad21a306bdb01 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "iWin Customized Web Search" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504d8f2d306bdb01 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\URL = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1678857" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042ae0f9229ffb745817ac616c09cbfe9000000000200000000001066000000010000200000003d5c7b6bc64c4a663395d65b770825afe9b5d5d04791e5b392eb9459fe7a67be000000000e8000000002000020000000a398cf8f9731a74fe784209a1cc73ce6d729e77bf42eefd9cba3d9745e87eea920000000f617f4aab5a6bd4c6cf17588ed0f49fd46d7de520014793151c6c5308b83905d4000000045e9e342e1de965d6e28f72d44692b26951a661875dcbe6782ef703364006bb33dfe79990ec5031ec8e80e1bed7b7e4712bbf0486ea7d07922c266bccc309810 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443535093" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e01000006000000010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000086250cce36da2b45acdb320d9bcb19bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} = 86250cce36da2b45acdb320d9bcb19bf | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "iWin Customized Web Search" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042ae0f9229ffb745817ac616c09cbfe90000000002000000000010660000000100002000000011df7275f6f03db7491f281376726e3d3c8ac4095c9bbc291fd8814d4740e45d000000000e8000000002000020000000366a41e0f07c07be5bf236416e9f222b8749f07802b3cfd130fdbbf10f4783ca90000000e7b7b4c3795484b9adc863925f62b175652f8aaf2f159e1066092ff4670e071084195f46d1690a0f22809c37b736c11d5e38c24ee5af04524d1e7ef2b4757e76b4c101a88078d866e64221b46167e3bb9c2d8702d53ffcf11cfb10cb18f0b487db793d203baebf0b80a3e8fdc44662dae0d5a79a27c8fa742a8572b6428b7d9f0f0a8e630510c70e19827a2ddf44941b4000000003c77cbeab82967c515d1af29677b5388dda42df29b9c53de4ab4a366bf49350543231b882461d3116ca8a2cad3ab77e44965ff1924eb26b931a238dd6a39ce3 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Search Asst = "no" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\URL = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1678857" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.conduit.com?SearchSource=10&ctid=CT1678857" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ = "Conduit Community Alerts" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ = "C:\\Program Files (x86)\\Conduit\\Community Alerts\\Alert.dll" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\ = "iWin Toolbar" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ = "C:\\Program Files (x86)\\iWin\\tbiWin.dll" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| N/A | N/A | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe"
C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$PLUGI~1\IWINTO~2.EXE
C:\PROGRA~1\INTERN~1\iexplore.exe
"C:\PROGRA~1\INTERN~1\iexplore.exe" http://iWin.OurToolbar.com/SetupFinish
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | search.conduit.com | udp |
| US | 8.8.8.8:53 | iwin.ourtoolbar.com | udp |
| DE | 3.126.5.188:80 | iwin.ourtoolbar.com | tcp |
| DE | 3.126.5.188:80 | iwin.ourtoolbar.com | tcp |
| US | 8.8.8.8:53 | www.ourtoolbar.com | udp |
| US | 52.216.94.18:80 | www.ourtoolbar.com | tcp |
| US | 52.216.94.18:80 | www.ourtoolbar.com | tcp |
| US | 8.8.8.8:53 | users.conduit.com | udp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | usage.users.conduit.com | udp |
| US | 66.77.197.165:80 | usage.users.conduit.com | tcp |
| US | 66.77.197.165:80 | usage.users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 66.77.197.165:80 | usage.users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| FR | 92.122.218.16:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\GLBC60D.tmp
| MD5 | 129809893b55085066d87b46f26c995a |
| SHA1 | 929a1826a14df6b51afa30827e6e0be812750524 |
| SHA256 | bf24083f39506d92458d4d1c3d3edf0f6fd76bc2e88f17b99d64d5f9e3da8c37 |
| SHA512 | 69175e301e84cd57d19dc14386e0064372e4f62e46afe0b62cf6dfb7706d9e93fcc161b043ea6e83fc288e48f3761ad2dc8a4db21d64ea0a4d227dae4a2384a1 |
\Users\Admin\AppData\Local\Temp\GLCC63C.tmp
| MD5 | 8c97d8bb1470c6498e47b12c5a03ce39 |
| SHA1 | 15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7 |
| SHA256 | a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a |
| SHA512 | 7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f |
\PROGRA~2\iWin\UNWISE.EXE
| MD5 | 973567b98cdfc147df4e60471d9df072 |
| SHA1 | 3c4735750c99c63e6861170a8c459a608594211e |
| SHA256 | 69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876 |
| SHA512 | e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294 |
C:\PROGRA~2\iWin\toolbar.cfg
| MD5 | db5e44981103b391040809f6e80886f5 |
| SHA1 | 599d026c862449e4be99efaf0d7184558ed52157 |
| SHA256 | 469fa324e20c314515f4b036bce0e4ad7eb2a5efb69d0cd30b2434a8a742a5c9 |
| SHA512 | e758bd98a29f7800425a96ab64bc1959b92f4144937bfa49b47e5382ee2324adbd8e2ae7e91ac53e2827afe3dad6f6e06b33a3eb907b7f706cf95a877dd78a8b |
\PROGRA~2\iWin\IWINTO~1.EXE
| MD5 | 75568ac665c46fcbcb1516b0ee4c88f8 |
| SHA1 | 347174b695105f1d64321dafc3497bf1ad4cd4e6 |
| SHA256 | 693bd052006f539de10122c189642d9d2ee959d622f48c583852ce86b689f370 |
| SHA512 | ca77f8eeebc1feed53c93ad6502dd8934d0b15b570baa6df9a2eb0d7797d7416f5a3666b2be8eddae4e8c0af210ce5f57701d22dd93085bcce998831160ad1b6 |
\PROGRA~2\iWin\tbiWin.dll
| MD5 | 23ae0fe0e1c5e8e9e4bfc64563db9027 |
| SHA1 | 7b15b45aea509952495f03be35706d1169968fd8 |
| SHA256 | 10a757922df3e3fc104538ae76fa388c3696a63f220e2c72458b85ac4a16e135 |
| SHA512 | 2f32eb91285cdfda24844926d07e66c73c6fa07037bf9b27c2fdb0bf93c2b37403a89d59210e4b03f86c022de324f00d29c631afc08d7477203bedaf1db8264c |
memory/788-41-0x0000000003370000-0x0000000003525000-memory.dmp
memory/788-48-0x00000000023E0000-0x0000000002457000-memory.dmp
\Program Files (x86)\Conduit\Community Alerts\Alert.dll
| MD5 | 73f03e72aee5a85545befa0dc7a90f82 |
| SHA1 | 60fac1a13b251193c01a1e17137d27edff6e7c15 |
| SHA256 | 3cfcdbf44c3332c3b47b48de28c721da09f910977c771f30216551ce5982d5fd |
| SHA512 | dd489d7b57fca25707b8577d86958414ad343e8937a92624c03c0f51a920d749fddae146274da5f698cd00ae74abe56b15f71be54d353dfbbb4151fd9130fc1f |
memory/2468-56-0x00000000026D0000-0x00000000026E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9A3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarA42.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29181c8921d62f45cbdc1bbdcc422fcc |
| SHA1 | a4bf8db3e0cd139300d58fae0eee1ae5cc4accbe |
| SHA256 | 39265cafc430cc7ea9cb582ca1518b1949ae94789d4a3790eba469513d508b97 |
| SHA512 | 60eb81268a0736155efdc2c6b094330a1956b3cee1f8abff1bbf962bc24a1a671d3877daf9c61a41a67f0a8485aba678eba288d6c5f2cecde244b94ae8d5881f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dede1501def90865fb068d752f843a45 |
| SHA1 | 8fe1fa006de648b94e3a065e7fd4151b3285a2b8 |
| SHA256 | 4479f542817f51d88cfef0a5473ccf6294f75b17288b97bbc8663413dae0e1ce |
| SHA512 | c43b714235de68b10a4216281c4f218abc6c083576884184262d5cb82860903eee10d11f751c79f895169043ca5d1bcf9927d545b2c854a3a5eb5b10d191ef13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 469ac084ce7a38e1407244a7371bf163 |
| SHA1 | 98535734395faf7ad1a81c9d38598af57cda9af8 |
| SHA256 | 8c6aad0c39003736f09f2020f48e2f2724ef8a8d0823efe80168a3333af8baac |
| SHA512 | e5a3448cf387b10b4f3ea3833ac82b4f562f1db55075b99f2a479562bc6501fcafa335d4e797922deb72ced4110bd7c594e7dfc772a3c68184fdeb0248735bbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f6f430440e04625181835c635bdc282 |
| SHA1 | 5eea419c590f731de23a2d685442c51481a24714 |
| SHA256 | 7647dc1e53909cbb6d799dc44049365e8da836190e4e58a04e078f41c2abc0e8 |
| SHA512 | 15f3597cacc45619ee6b377e815dceb0ae9280cbdbffe40f7c6d7c9f7a7780361431157838868ccb79b644eb9d3a2409d715fe25282eb19df721492cf919b175 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85b8a14d488d7d36ab2dc6f5240a1efe |
| SHA1 | a56d626d3861def63d08bf87ce0fad0e3fdc9f4d |
| SHA256 | 68beffe5981f5bfc0b1a14937a86ba582969897bd7aef4c545ce232aceab9396 |
| SHA512 | be186360bef20e89c157a2860a39f6d61572b9476c2835b0c7b47fbaf125f1ee9c7bf7265998fa97196cac20f1c7752a1b90c6a30f27092463c669533af0fbc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba6a5547e2cceaa93ba314e4eab2099f |
| SHA1 | 464b6520df151eaf44ce2322ab9ac162cd168c1d |
| SHA256 | cb4acbe6d0513e31ec26991451a1d018258d0a2f5a5a7a14cf38452ce845a585 |
| SHA512 | 9f3c886722fcfd6770aeab47fcf64f8863ed47c4ca6762eb81991dfb5b33a35837c45372b66ec1a93816c04cde51619413f8f407b1d11050be83827a4681e9f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10e0046f94397bf5deedd2919cdbd6bd |
| SHA1 | 9cea71600335fce77ae5ab8c91fbd02b08c7c308 |
| SHA256 | dec675fad20c19a80ee248f37116a593dd27614ae02079418b29099cc6457e26 |
| SHA512 | 7c18c9a5bcec4864fe6c3b3ab5a2d6bbdf0d8161203faf527ae21ec0106918baf918a213f990f272e8c03eb9dd76105d2acfd631d3277776615eb0153c1b5ed0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9f662a0539d663f94bba082d08a6da2 |
| SHA1 | bcfa4252b38e98ca45b58014facccf4a4eee7837 |
| SHA256 | 255bf8d9724d5a7c94840ecb7b62ac29c53208c84bb5c374c91feefa876cd305 |
| SHA512 | 13758fca3de6adee1e88ab362cf565f8e9a8c4bff1cb5a235d8bf0932d4c866bc03bc3221576ed4df580ad4fc66cc724cc8eb3af673c4cf2d8f5acb9494010da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ea6ad3f23bfff461a259ecca4a87428 |
| SHA1 | d6625a948e2c60bf75e8f86631705cc2215dd2f0 |
| SHA256 | f0b58f6000a831b6bb71ca491ab3362a2b154d8246208a85fa651bca80926f4f |
| SHA512 | 31240c1bf595892da71963709c863f85e7a88a5ca863b60e281c3c346bb1abc46cad0af8f9ad1f6ffe57e2a900f4fb638f94a26296c9bea445b06a94c4b27fbc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07e668d206043b6801959eccf4535476 |
| SHA1 | 07e46981272fb7d1121d900b208ee14611ac7129 |
| SHA256 | f83df3c81f5b5bce100ebac01cd4e880deb20befdc07c9c1ccb808183eb11b43 |
| SHA512 | 5ea3792bbc1aae5575ae112dd21e12252de862e4d298f522edda899d0981054d6a50da1f8b4469a7a2206f4eb74af4bc519ce44a84215f61dc17940922e40b9e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 1559ea1727a9ae28754260f1666b27f4 |
| SHA1 | f90f0534b5cc43884e4a0898484cb44afefbcea4 |
| SHA256 | d8b5d909b8d5e440b60be0e225e7cc942bdb4234b04a6d2d1b73997fef5ba618 |
| SHA512 | a73945dda1b0847c33becc1b3a89faf1f329be897a6ac3e47168e1513e9ef7f1f88ca76d78efd5edcc63a2ca469653cd32b0ae6fd7fabf4c59019bc2d51c5bfd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa53e171a085e02a7ee59e468d4ec665 |
| SHA1 | ef1157865570de13a3108f76ced6239682d41d53 |
| SHA256 | 0668d1191fee722f1eda2476087409e67cc8e0d044bf0beca321a5274e3b024f |
| SHA512 | 7ecb86beb0d1ae524d8242a8f83718fa33895f6086efcd20d17e200f631000966feca55112ba350d4ad4cc83ccc9b03ee8de8870347bbd286a6fd3f8acba7860 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9fd8fd06d8cf9e06eb8829dd3a27536 |
| SHA1 | b500bd94136d25c51bf43344428693bfe11b257b |
| SHA256 | 53b1795a2d30bbf62af48c7e6ea37b93cfa3e88bd2d9cc9ea4d025c2c12a6259 |
| SHA512 | 6ea8ca9c7f2648ad3ee0706cce3eb3a346228252f02ead46d948fe8d1023704fe90c8f15bfc160917e4615646a65d3c9fc8bf2be6a41dfd59c3d074b7048e42f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de406c4308e8cc4e7a7cc14f4dc21bbb |
| SHA1 | 25d597ed9011e4974ce0dbf84cc35f0436408449 |
| SHA256 | c4a013c621626a775b93c2d656545358c26d5e9ad17e1bfc9a87667958479bf6 |
| SHA512 | 210c2f2963080bc2960f22142768670f9265a4f04f030c315aa74669bf3acf249c7b71706ed5f873d1fc73cdfd7c251e1ec9bd780ee1537eb86e5fedd5751482 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 629486bda57bc70a6faa8c193f700c9a |
| SHA1 | 7e3ae41a587fbe70cab4317d26a91b25dc4e3f4a |
| SHA256 | e899e6f4f53d53388c1daaeddbdcbc5ae46acee29c5bec894534433a3e88fe0c |
| SHA512 | 26b20ad9d96a0f29fdc3a74dc1dee272a0323d2c1b55624247fe58e7391a51e02519502fca14916a614ef28d792d8198e82ecf2dc3090a79b087c02b928161b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 396083943825a01a222b1ea36511c66e |
| SHA1 | 72443ea0e35ada7cbdaa003c78bfcd7ffbb47cc0 |
| SHA256 | d46d6ad9324d30b5a277ab8778073b9babb79890ccb616c2f3d9a6ed8aed0786 |
| SHA512 | aa810552c51342273ee51df50f14d83bdd1643df10c6001c1cc64d65446c0ed296c7d3e45120e2918a6d6b6d9af920b4dc2b0282fe8a98722971d676d8d70f6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8fee33ce04147dacdda6e6f19661a49e |
| SHA1 | d3e0acb2276c507181e6308950189043d49ccea6 |
| SHA256 | 209869765d775260cd0b4512f220158a7eefee37389c96e363bbbbd191b258c2 |
| SHA512 | e761eacfa8c2c85d95142e9a0282e0a120296ac61c25e4031f0bbdf7a0ecf7fa2ba2f0cb5e75b50b9fc058a6eac5b9db81bddad36a3091cb86e8e161b59359e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 5a9f40602f9eff75bab7270861c0957a |
| SHA1 | 0bca399851dd39da761554bb0a695ab709da8087 |
| SHA256 | 5e61a399c9e457ec5405c5cbbc6d01f3047605a73edd8b3a3f2e0ebc12856030 |
| SHA512 | 8f9a28e70161dc1a5e0f31571011af72c6ea6a4f5b616f38df1d33e098cf207377cf74bac9644d91b49d560dc46c17e649368ae79e149f95dc86d8bb6a5dc805 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70dd76187d9f489f5c01c195f39c7ced |
| SHA1 | 69debb98a5c5a866590a99bfd340d350c860eb8f |
| SHA256 | d57c521dd418c2402260eec6e90e2c7f212162d8caf2879b161c3b8cf29ad3e1 |
| SHA512 | cd03cf5072c7768b3ccaa4e9cb5cf1c51d77d4808158baafc30724f942dfec38463c7e0b2396ac389885aa41ebc4754f724948ed407c2df0fb4b0a4070b77fd3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aff0b29c18d8328a688da2d1b17b0f5f |
| SHA1 | 0b73b306e58b1edccf8673edc310e9b0360b3c6c |
| SHA256 | bf1cfd0e3511b4f617e4916f1d7dab367826eee9692fa180905664fd67c55c61 |
| SHA512 | aaa5c316cfadf912ccf44a22595c0fa5527a809edfd583877e32c40f396001dc1abf8243b5ea41d243d3029ced5a2d22650cfdc00524032a39cd696d06611c29 |
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\ | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\GLBSINST.%$D | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\iWin\iWinToolbarHelper.exe | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0003.TMP | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\tbiWin.dll | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File created | C:\Program Files (x86)\Conduit\Community Alerts\~GLH0004.TMP | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\INSTALL.LOG | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\UNWISE.EXE | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0001.TMP | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\toolbar.cfg | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0002.TMP | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\iWin\INSTALL.LOG | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| File created | C:\Program Files (x86)\iWin\~GLH0000.TMP | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4095c893306bdb01 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20edd693306bdb01 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000426fa9e63677ad42a837377ae3de38f5000000000200000000001066000000010000200000001e5fad5f513ca864ff00210985ff6319797eabf5d99cd96537fb99bba47a474b000000000e800000000200002000000095d4efdecbd11035b478cff8cc9bbbdc8ea284aabbde2d3ec8b225c1b265d7f42000000032d312c6063f905973fb6858fea1f7af0cec43bfec6b99d3db7c5e6a41fc45c74000000022d103dead7d4cd3195f2dcdfdce557af9ba7353235cef0f2218c2c27d21a65274813e51ae97509168c6d7bdab521dfb95efd4df0dc843a69237c9ff6939e54e | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "iWin Customized Web Search" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e01000006000000010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000086250cce36da2b45acdb320d9bcb19bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000426fa9e63677ad42a837377ae3de38f5000000000200000000001066000000010000200000000739b1f61390b55c2c52ce202b1ff97e67a9bc0bdf2fcea8116c3402e2713cfe000000000e8000000002000020000000399c68c3fc03b692113c54559726908b425296aee00354d3170a73a00e4d591750000000a0786967a7b88ad8f1da69a2ffee9b134e22832de4e598516a91d8bdb82cea012e0365b009b1d4cc5781cae3e860920d82863fe7d73aa2c44590ab2453b353da84ad05e44404fefcec8922951ad7fe6d400000008a22fc8be74323a7149df7f0eb56a467acf3d76badc07c592a4f6b1bff559de2b6c0e71bdcced2f723a82b5f738f7dabb8a9d3b8c2fe6fe1db1d9f55767b71e9 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\URLSearchHooks | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ce0c2586-da36-452b-acdb-320d9bcb19bf} = "iWin Toolbar" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = d8a2561ed318db01 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2451748728" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions = "1" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157040" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} = 86250cce36da2b45acdb320d9bcb19bf | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000426fa9e63677ad42a837377ae3de38f50000000002000000000010660000000100002000000047a4837cc97ee3a09472e26631e2aaaffa0ec25b70ed60953b4bdcde1aad18fe000000000e8000000002000020000000c96865d19e57cdd9b6b58b74213988fa67aaae686e6af05740095aef8a9c9fc510000000318ac68816288f479dd88ae18f4fb51a400000005521f8569420172b9f94ad7fd6f3e1e810a0c03ee7cd0deec1a751a2ffc294657483afbc271d48a762c6a5c639b3a9bc94d6061d87c0dcaf245b78fac0626286 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\URLSearchHooks\{ce0c2586-da36-452b-acdb-320d9bcb19bf} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BCD1E567-D723-11EF-AF2A-D2BD7E71DA05} = "0" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.conduit.com?SearchSource=10&ctid=CT1678857" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ = "Conduit Community Alerts" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\ = "iWin Toolbar" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE0C2586-DA36-452B-ACDB-320D9BCB19BF}\InprocServer32\ = "C:\\Program Files (x86)\\iWin\\tbiWin.dll" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ = "C:\\Program Files (x86)\\Conduit\\Community Alerts\\Alert.dll䜀" | C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| N/A | N/A | C:\PROGRA~1\INTERN~1\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\iwintoolbarinst.exe"
C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp
C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$PLUGI~1\IWINTO~2.EXE
C:\PROGRA~1\INTERN~1\iexplore.exe
"C:\PROGRA~1\INTERN~1\iexplore.exe" http://iWin.OurToolbar.com/SetupFinish
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:384 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=80240
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=80240
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a2a46f8,0x7ff95a2a4708,0x7ff95a2a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16295645270528732014,8450069065203313113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16295645270528732014,8450069065203313113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16295645270528732014,8450069065203313113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | search.conduit.com | udp |
| US | 8.8.8.8:53 | iwin.ourtoolbar.com | udp |
| DE | 18.185.24.46:80 | iwin.ourtoolbar.com | tcp |
| DE | 18.185.24.46:80 | iwin.ourtoolbar.com | tcp |
| US | 8.8.8.8:53 | www.ourtoolbar.com | udp |
| US | 3.5.0.25:80 | www.ourtoolbar.com | tcp |
| US | 3.5.0.25:80 | www.ourtoolbar.com | tcp |
| US | 8.8.8.8:53 | users.conduit.com | udp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 8.8.8.8:53 | 46.24.185.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.0.5.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | 167.57.26.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | usage.users.conduit.com | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 204.79.197.239:443 | edge.microsoft.com | tcp |
| US | 204.79.197.239:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 66.77.197.165:80 | usage.users.conduit.com | tcp |
| US | 66.77.197.165:80 | usage.users.conduit.com | tcp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 239.197.79.204.in-addr.arpa | udp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 66.77.197.165:80 | usage.users.conduit.com | tcp |
| US | 66.77.197.165:80 | usage.users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| IL | 199.101.115.202:80 | users.conduit.com | tcp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\GLBBDE1.tmp
| MD5 | 129809893b55085066d87b46f26c995a |
| SHA1 | 929a1826a14df6b51afa30827e6e0be812750524 |
| SHA256 | bf24083f39506d92458d4d1c3d3edf0f6fd76bc2e88f17b99d64d5f9e3da8c37 |
| SHA512 | 69175e301e84cd57d19dc14386e0064372e4f62e46afe0b62cf6dfb7706d9e93fcc161b043ea6e83fc288e48f3761ad2dc8a4db21d64ea0a4d227dae4a2384a1 |
C:\Users\Admin\AppData\Local\Temp\GLCBEDB.tmp
| MD5 | 8c97d8bb1470c6498e47b12c5a03ce39 |
| SHA1 | 15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7 |
| SHA256 | a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a |
| SHA512 | 7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f |
C:\PROGRA~2\iWin\UNWISE.EXE
| MD5 | 973567b98cdfc147df4e60471d9df072 |
| SHA1 | 3c4735750c99c63e6861170a8c459a608594211e |
| SHA256 | 69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876 |
| SHA512 | e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294 |
C:\PROGRA~2\iWin\toolbar.cfg
| MD5 | db5e44981103b391040809f6e80886f5 |
| SHA1 | 599d026c862449e4be99efaf0d7184558ed52157 |
| SHA256 | 469fa324e20c314515f4b036bce0e4ad7eb2a5efb69d0cd30b2434a8a742a5c9 |
| SHA512 | e758bd98a29f7800425a96ab64bc1959b92f4144937bfa49b47e5382ee2324adbd8e2ae7e91ac53e2827afe3dad6f6e06b33a3eb907b7f706cf95a877dd78a8b |
C:\PROGRA~2\iWin\IWINTO~1.EXE
| MD5 | 75568ac665c46fcbcb1516b0ee4c88f8 |
| SHA1 | 347174b695105f1d64321dafc3497bf1ad4cd4e6 |
| SHA256 | 693bd052006f539de10122c189642d9d2ee959d622f48c583852ce86b689f370 |
| SHA512 | ca77f8eeebc1feed53c93ad6502dd8934d0b15b570baa6df9a2eb0d7797d7416f5a3666b2be8eddae4e8c0af210ce5f57701d22dd93085bcce998831160ad1b6 |
C:\Program Files (x86)\iWin\tbiWin.dll
| MD5 | 23ae0fe0e1c5e8e9e4bfc64563db9027 |
| SHA1 | 7b15b45aea509952495f03be35706d1169968fd8 |
| SHA256 | 10a757922df3e3fc104538ae76fa388c3696a63f220e2c72458b85ac4a16e135 |
| SHA512 | 2f32eb91285cdfda24844926d07e66c73c6fa07037bf9b27c2fdb0bf93c2b37403a89d59210e4b03f86c022de324f00d29c631afc08d7477203bedaf1db8264c |
memory/1648-37-0x00000000042C0000-0x0000000004475000-memory.dmp
C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll
| MD5 | 73f03e72aee5a85545befa0dc7a90f82 |
| SHA1 | 60fac1a13b251193c01a1e17137d27edff6e7c15 |
| SHA256 | 3cfcdbf44c3332c3b47b48de28c721da09f910977c771f30216551ce5982d5fd |
| SHA512 | dd489d7b57fca25707b8577d86958414ad343e8937a92624c03c0f51a920d749fddae146274da5f698cd00ae74abe56b15f71be54d353dfbbb4151fd9130fc1f |
memory/1648-48-0x00000000042C0000-0x0000000004337000-memory.dmp
memory/384-58-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-68-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-67-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-66-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-69-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-76-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-77-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-82-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-85-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-87-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-86-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-81-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-79-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-75-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-74-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-73-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-71-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-65-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-64-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-63-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-62-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-61-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-88-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-92-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-91-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-60-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-57-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-97-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-98-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-94-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-99-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-100-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-101-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-106-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-116-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-118-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-121-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-119-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-117-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37f660dd4b6ddf23bc37f5c823d1c33a |
| SHA1 | 1c35538aa307a3e09d15519df6ace99674ae428b |
| SHA256 | 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8 |
| SHA512 | 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d |
memory/384-115-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
\??\pipe\LOCAL\crashpad_2740_IXNKKXLKGZCKEYYR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a02f12e01162ce60af36c1f6981ca006 |
| SHA1 | 367210dddb0f51377e0fd51be5ee055bd1f5d243 |
| SHA256 | ceffed2ab7690e5e4cfe68c234c9d66ce6d35b156161197f998966258b75261d |
| SHA512 | 89b5f2aacd4b81cdea5833876d7fbaca0d7ea059af68f67bec99c60d51bf9a6ff5fc36598f92e25d037a785f1a4ce6406f8c393a6156a22f00e80e74eb350abd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | a8b8e97f35e913d8380de208cbae2610 |
| SHA1 | 1ad6c0148e1a302dee28f8171835bc2e9ac81f09 |
| SHA256 | 11851918cc117f9802eb386e3f018460eb49861af54c5797287bca248675bc92 |
| SHA512 | cb995c892dc668e7b8427f99e3a054218a834fd030eec1660b96a5b12c5518b1dfd8370eea5e7bf09a9dd93caf3b6fc23f6c07269071cab13ba121710f6e5f9b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | c3dc3c9841c098445f32117c0513ba06 |
| SHA1 | 1d6b9ee29a87d7392ab26d886809c0cd7a4eb5d0 |
| SHA256 | b505abf9699df707538aa40d0a8370dfa7845ce8ea75e3262d1dafe900bf8a27 |
| SHA512 | e8bac5368227d41162a6a85992f1754b66c44de682f2eb475d4d93ef73401c5e82dc132f97c9e6f4821c05a2e750c49edc9bc40ac1d0a6bd7e9477befcfc45b1 |
memory/384-168-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
memory/384-172-0x00007FF96A320000-0x00007FF96A38E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EFY08QA2\v1[1].xml
| MD5 | 25a40f949855471562a1a9e465cfed7c |
| SHA1 | c3a563c56fb8323e6c2ee7fa417c45d8384a4156 |
| SHA256 | 075f1f4ec57dcfdbb2f1b60ffbf9efe0286216c43d0a65f82eae86af66b36127 |
| SHA512 | e5b4ed8df62488e7bb9ccb77f1daac251f65cd3251257ab94094df1316fa50a96901b32e7e76e47a4616d763ae54d7134f5d29f030ee7d2399bbe728498fedd4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4f9ec74dee46efcc286cd025df6e04ed |
| SHA1 | 889930b72862f5d94f08a26c06696d5da1f1e81b |
| SHA256 | f97bf6fbb9eb5a213d10df10862a57d83547ee1d9fb923a237eea9c765fa36ab |
| SHA512 | c268ba261fd3bf11558eee7d6357efc279947ac5c093e3af3eda0d5427438d6e6ce50a5083f724899f759f193a30b6143b34744ac2f2d61c2ddfb398a4e25b1c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b2826e2857fe1e404bae12c545c0dd98 |
| SHA1 | 1c1348f495510e56f5429880774eedcd7331a36d |
| SHA256 | e08a043a87a49b52382cb7e105d11bedb31e3135a0f5a1135b0190f1f360a797 |
| SHA512 | cbd22930370bb7ac0228a16b6d80a1a942dce6d51a68f2d0f48683965835ca29f09d790abb87ba9b4f9b94af2eb2589f078d1cc6c1c4862d6c9ec7d73cba5ce2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 648d1c41ae7ea5b21bfbe9f639cecfef |
| SHA1 | ec61d7bc8108177d37a1e35b5a022da175900b4a |
| SHA256 | a50dd3950bbdf8592b3e56b71c3e1b426443fac5323f9b3d77eb750f707bc1ef |
| SHA512 | 139ac4b1e43eb1835c5045a1fad6bd30465073e5f3e24845ecaf58d327151ec5aaa5f70b8994ba9dc512a4e28a712a9b11603340283a2be5f283ec002078111b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | dba378d67b0b1309c2118ce68be6895f |
| SHA1 | 2afcbe6be074a946042638cb086938cd2394bae8 |
| SHA256 | d12f835f28ebab55c598f2ff3526a239ec2a5bb37664a07c3b4d3567ba2b8e66 |
| SHA512 | c347bc9a6988fdb6b45bb8e1715669ba905b313c896168795a4855e3f2d12a26c95a38d268927e797728fc309e6c43e24f91514e552cbd618f70d75aa047a054 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 0ada2095c461df5a751955aa41dd491e |
| SHA1 | 8366c54b31e1ddc8016aa22aab8c83f73c690810 |
| SHA256 | 80cd542688ed3a45669b53243c3f4922d6eb21a34d8dfeebc6c101484d3bac09 |
| SHA512 | 135991affe343d4358bb15a693effa7a6813d6715e555729d2aa04a98555e13fded55d3100a41a92a5beb57c68fbdacb199a3e66407944e37880b28d42d79e7c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G94T3PNL\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral20
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
Files
memory/3692-0-0x0000000000400000-0x0000000000934000-memory.dmp
memory/3692-1-0x00000000001E0000-0x00000000001E2000-memory.dmp
memory/3692-2-0x0000000000400000-0x0000000000934000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20241023-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\iwinarcade.js
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3424 wrote to memory of 4396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3424 wrote to memory of 4396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3424 wrote to memory of 4396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iWinArcadeIECleanup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinArcadeAutocleanup.bat" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws.iwin.com | udp |
| US | 35.175.34.235:80 | ws.iwin.com | tcp |
| US | 35.175.34.235:80 | ws.iwin.com | tcp |
| US | 8.8.8.8:53 | 235.34.175.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | f7eb4bc689e6cf7d36040dbe0d9331e5 |
| SHA1 | 19bca2dd29fb9f54822bd2cacb68bf85063cf92a |
| SHA256 | c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7 |
| SHA512 | 062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023 |
memory/3956-7-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3956-8-0x0000000000570000-0x0000000000572000-memory.dmp
memory/3956-9-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4900-10-0x00000000005A0000-0x00000000005A2000-memory.dmp
memory/4900-11-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3932-12-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3932-14-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3980-15-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/3980-22-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/4876-24-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\cache.dat
| MD5 | 05da8f0281ad5626c84a5549650d1bf3 |
| SHA1 | 9e742af52e9e439f63dc7788b472c73000a1da4f |
| SHA256 | 0f8e730f1b5a750f5f42698e020b25a8291b9c7336310d0999ef0d1660434016 |
| SHA512 | 7b2d26f5ff4ce2d5b880fa9027e71bfeb576086f43c85a2885515969e18ee2fe8b8602115fbd55827e2c328f5b8102f9e3f7779694bfdd09430793e67eee2ea3 |
C:\Users\Admin\AppData\Local\Temp\iWinGames\iWinGames.log
| MD5 | 559051f7e1657074cfff4e63fb9087c5 |
| SHA1 | a66f00c2b1ed6ce7fe91c881815f2eb336098769 |
| SHA256 | 193ef850bbe75ade2aca30633f0f353e5f3b309e48049b244deb71fb069d814b |
| SHA512 | eee555aca6c5a48d605432b7a33b93008021df35320f8e68413964890d16259751cac1affd6721db7d09eed4613ddb5974222f80b69ec4247781b9ff1179c6dc |
Analysis: behavioral19
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\WebUpdater.exe"
Network
Files
memory/2788-0-0x0000000000400000-0x0000000000934000-memory.dmp
memory/2788-1-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2788-2-0x0000000000400000-0x0000000000934000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:47
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\ = "iWinInfo Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer\ = "iWinSuppot.iWinSuppot.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID\ = "{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2748 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2748 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2748 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2748 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2748 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2748 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2748 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:48
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
142s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID\ = "{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer\ = "iWinSuppot.iWinSuppot.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\ = "iWinInfo Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinInfo.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\ = "iWinSuppot Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 4220 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 624 wrote to memory of 4220 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 624 wrote to memory of 4220 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.89.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\firefox\iWinArcadeLauncher.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:45
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
138s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstGameInfoHelper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.iwin.com | udp |
| US | 34.201.88.230:80 | www.iwin.com | tcp |
| US | 34.201.88.230:443 | www.iwin.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.88.201.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.193.84.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.158.40.23.in-addr.arpa | udp |
| FR | 18.245.196.26:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.196.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.iwin.com | udp |
| FR | 13.32.145.87:80 | img.iwin.com | tcp |
| US | 8.8.8.8:53 | 87.145.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-20 11:40
Reported
2025-01-20 11:42
Platform
win7-20240903-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iWinArcadeIECleanup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iWinArcadeAutocleanup.bat" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iWinGames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
"C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
"C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
"C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ws.iwin.com | udp |
| US | 3.212.86.116:80 | ws.iwin.com | tcp |
| US | 3.212.86.116:80 | ws.iwin.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | f7eb4bc689e6cf7d36040dbe0d9331e5 |
| SHA1 | 19bca2dd29fb9f54822bd2cacb68bf85063cf92a |
| SHA256 | c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7 |
| SHA512 | 062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023 |
memory/2704-10-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2640-9-0x0000000002B80000-0x0000000002BB9000-memory.dmp
memory/2704-11-0x0000000000230000-0x0000000000232000-memory.dmp
memory/2704-12-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2852-13-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2640-14-0x0000000002B80000-0x0000000002BB3000-memory.dmp
memory/2684-16-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2640-17-0x0000000005360000-0x0000000005F2D000-memory.dmp
memory/2740-18-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2740-26-0x0000000000400000-0x0000000000FCD000-memory.dmp
memory/2540-28-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2640-27-0x0000000002B80000-0x0000000002BB9000-memory.dmp
memory/2540-30-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\cache.dat
| MD5 | 7bcfdf4ff2fd7e9f38e4e836ce443378 |
| SHA1 | aee14127fd409c3de064e5bb65ed057dca3cb4f7 |
| SHA256 | 428deca3f08767b4091b1839cd2d84dc827d569e244f8a3cec2817ffbef46a71 |
| SHA512 | 8c883692d453708b02e087330630f6d1f14f9a282cc905211a836071e4c095b819ccaac0fac951b74e13f116ab575ed9c78ea58de04915639db2c915b028bf32 |
C:\Users\Admin\AppData\Local\Temp\iWinGames\iWinGames.log
| MD5 | e661e214e2e3a4b34534087af7a157c8 |
| SHA1 | 9d9da4838515c6e65bd0300baefbdae80a3b58e2 |
| SHA256 | 97c0d116d0ea2783b20b8bd29464f13bd6cb3c4f1e6c85b946089db5316e6bcc |
| SHA512 | 210aabddb0fbbc86037863cb552fa55608f20cedf2ae40408bc2ade58e127b1975e0e198668434f9ebbfab5102403e2e862549cd86f9dc3d9f48045717bf6943 |