banload | 69f8183bfcc99d9a80f9c9aba0aea150b134885f4b7898915a652249e9e03167

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe
Size

98KB
MD5

ee79991defde27b1bbc6713c57861d6c
SHA1

221f0c006177b320017700aa1baf237d0f36c049
SHA256

69f8183bfcc99d9a80f9c9aba0aea150b134885f4b7898915a652249e9e03167
SHA512

7f4eaebf607e8afddb9a244d93909d66d21d7244d4506a862d3360ece20057e6bbca88102a5f5890e070504b01d326068bb362aecfb9025d854e179a6c2de78f
SSDEEP

1536:cTXB+5p3Bi+HpM4tmJIxqG0/7vd8xUxPpZzmbOcVf2nxqG0/7vd87:cTs3BxJNmJIxqdLdT/ZzmKZxqdLdG

Score

10^/10

banload discovery downloader dropper evasion spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

GLWorker.exeGLWorker.exeGLWorker.exeGLWorker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GLWorker.exeGLWorker.exeGLWorker.exeGLWorker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GamesManager.exeiWinInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	GamesManager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	iWinInstaller.exe

Executes dropped EXE 13 IoCs

Processes:

GamesManagerInstaller.exeugm_installer.exeGamesManager.exeawesomium_process.exeawesomium_process.exeiWinInstaller.exepreinstall-options.exe5498689878578615106.exeiWinInstallOptions.exeGLWorker.exeGLWorker.exeGLWorker.exeGLWorker.exe

pid	process
4992	GamesManagerInstaller.exe
2556	ugm_installer.exe
3608	GamesManager.exe
4452	awesomium_process.exe
3040	awesomium_process.exe
3376	iWinInstaller.exe
2188	preinstall-options.exe
2628	5498689878578615106.exe
3632	iWinInstallOptions.exe
3964	GLWorker.exe
1380	GLWorker.exe
4788	GLWorker.exe
2776	GLWorker.exe

Loads dropped DLL 64 IoCs

Processes:

ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exeGamesManagerInstaller.exeugm_installer.exe

pid	process
4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe
4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe
4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe
2556	ugm_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

Processes:

GamesManagerInstaller.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe	GamesManagerInstaller.exe
File opened for modification	C:\Program Files (x86)\GMInstaller\ugm_installer.exe	GamesManagerInstaller.exe
File opened for modification	C:\Program Files (x86)\GMInstaller\	GamesManagerInstaller.exe
File created	C:\Program Files (x86)\GMInstaller\ugm_installer.exe	GamesManagerInstaller.exe
File created	C:\Program Files (x86)\GMInstaller\iWinLauncher.exe	GamesManagerInstaller.exe
File created	C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe	GamesManagerInstaller.exe
File opened for modification	C:\Program Files (x86)\GMInstaller\iWinLauncher.exe	GamesManagerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exeugm_installer.exeGamesManager.exepreinstall-options.exeGLWorker.exeGLWorker.exeGLWorker.exeGamesManagerInstaller.exeawesomium_process.exeiWinInstaller.exe5498689878578615106.exeGLWorker.exeawesomium_process.exeiWinInstallOptions.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugm_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	preinstall-options.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManagerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5498689878578615106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinInstallOptions.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GamesManager.exeawesomium_process.exeawesomium_process.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GamesManager.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GamesManager.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	awesomium_process.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	awesomium_process.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	awesomium_process.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

iWinInstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\iWinArcade	iWinInstaller.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\iWinArcade\installRoot = "c:\\games\\Iplay Games"	iWinInstaller.exe

Modifies registry class 64 IoCs

Processes:

iWinInstaller.exeGLWorker.exeGLWorker.exeGLWorker.exeGLWorker.exeGamesManager.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\InstallDir = "c:\\games\\Iplay Games\\Country Tales"	iWinInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{_kg[cD"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\JwLJt = "LS~g\x7fCSx}YNxqW~a\|~}J"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\JwLJt = "LS~g\x7fCSx}YNxqW~a\|~}J"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\qyib = "STt^[Uhq^VXIt@WvLYSJ\x7f"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\qyib = "l\x7fLuly{zOhf`\x7fS~zOD\x7fuu"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\GfcWozxmopaf = "dk@LQuGOpCjmvtdTaHJgg}ElA"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDk\|zSTUaTs]XJP"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7fzOkg[cD"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\uscCeXownBtO = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MG"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\JwLJt = "uvZ]TziJxrIzozoKiTcw"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[\|CxSpaOLQtMJDChQhebCV`"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\twQs = "L{oAIRKBhRTWkAz^N"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDk\\zSTUadu\\urP"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UxsshWH`NoOSSSY[M"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[\|CxSpaOLQt]JDChQpnbuJ`"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\tqpli = "yIHBCaEiDnOpbUtmVyvmuVSO@XkZ"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{\x7fkg[cD"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[\|CxSpaOLQteJDChQhuZEeP"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\GfcWozxmopaf = "eg~G`xb_UA`pEeriAp~_iVBIC"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\VQKkvskBTM = "EPdV]mpKKvC_WMJwA[Fh\\qeZUTb[\x7f"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\VQKkvskBTM = "EPdV]mpKKvC_WMJwA[Fh\\qdzUTb[\x7f"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\5498689878578615106 = "Country Tales"	iWinInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\Class = "Microsoft.Vbe.Interop.CodePanesClass"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[\|CxSpaOLQtiJDChQtaFNap"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{okg[cD"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\GfcWozxmopaf = "eg~G`xb_UA`pEeriAp~_iVBIC"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\YahooArcade	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\uscCeXownBtO = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MG"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\twQs = "L{_AIRKBhRTWkAz^N"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkPzSTUaxa@~vp"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\lkovdqw	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameExe = "GameLauncher.exe"	iWinInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UxcshWH`NoOSSSY[M"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\JwLJt = "uvZ]TziJxrIzozoKiTcw"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{okg[cD"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\tqpli = "QaRhGQbxXgJYZP^zf}NgCRoAPVz["	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[\|CxSpaOLQtaJDChQDw\x7fej@"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\uscCeXownBtO = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MG"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\tqpli = "QaRhGQbxXgJYZP^zf}NgCRoAPVz["	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\qyib = "STt^[Uhq^VXIt@WvLYSJ\x7f"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameID = "5498689878578615106"	iWinInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\RuntimeVersion = "v2.0.50727"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\uscCeXownBtO = "`xfw@\x7fbPbKSMVu^iFeIiyXXuqTOkY["	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UxcshWH`NoOSSSY[M"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\YahooArcade	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkTzSTUaTce^y`"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameName = "Country Tales"	iWinInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\lkovdqw	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkhzSTUa`zxNY@"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\VQKkvskBTM = "EPdV]mpKKvC_WMJwA[Fh\\qeJUTb[\x7f"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UySshWH`NoOSSSY[M"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[\|CxSpaOLQu}JDChQpt}stP"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkdzSTUa\|\|HXi`"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\lkovdqw	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\tqpli = "yIHBCaEiDnOpbUtmVyvmuVSO@XkZ"	GLWorker.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GamesManager.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	GamesManager.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

GamesManagerInstaller.exeGamesManager.exeiWinInstaller.exe

pid	process
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
4992	GamesManagerInstaller.exe
3608	GamesManager.exe
3608	GamesManager.exe
3376	iWinInstaller.exe
3376	iWinInstaller.exe
3376	iWinInstaller.exe
3376	iWinInstaller.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AUDIODG.EXEGLWorker.exeGLWorker.exeGLWorker.exeGLWorker.exe

description	pid	process
Token: 33	3432	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3432	AUDIODG.EXE
Token: 33	3964	GLWorker.exe
Token: SeIncBasePriorityPrivilege	3964	GLWorker.exe
Token: 33	1380	GLWorker.exe
Token: SeIncBasePriorityPrivilege	1380	GLWorker.exe
Token: 33	4788	GLWorker.exe
Token: SeIncBasePriorityPrivilege	4788	GLWorker.exe
Token: 33	2776	GLWorker.exe
Token: SeIncBasePriorityPrivilege	2776	GLWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GamesManager.exe

pid process

3608 GamesManager.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

GamesManager.exe

pid process

3608 GamesManager.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iWinInstaller.exepreinstall-options.exe5498689878578615106.exeiWinInstallOptions.exe

pid process

3376 iWinInstaller.exe
2188 preinstall-options.exe
2628 5498689878578615106.exe
3632 iWinInstallOptions.exe

pid	process
3608	GamesManager.exe

pid	process
3608	GamesManager.exe

pid	process
3376	iWinInstaller.exe
2188	preinstall-options.exe
2628	5498689878578615106.exe
3632	iWinInstallOptions.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exeGamesManager.exeiWinInstaller.exe5498689878578615106.exe

description	pid	process	target process
PID 4032 wrote to memory of 4992	4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe	GamesManagerInstaller.exe
PID 4032 wrote to memory of 4992	4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe	GamesManagerInstaller.exe
PID 4032 wrote to memory of 4992	4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe	GamesManagerInstaller.exe
PID 4032 wrote to memory of 3608	4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe	GamesManager.exe
PID 4032 wrote to memory of 3608	4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe	GamesManager.exe
PID 4032 wrote to memory of 3608	4032	ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe	GamesManager.exe
PID 3608 wrote to memory of 4452	3608	GamesManager.exe	awesomium_process.exe
PID 3608 wrote to memory of 4452	3608	GamesManager.exe	awesomium_process.exe
PID 3608 wrote to memory of 4452	3608	GamesManager.exe	awesomium_process.exe
PID 3608 wrote to memory of 3040	3608	GamesManager.exe	awesomium_process.exe
PID 3608 wrote to memory of 3040	3608	GamesManager.exe	awesomium_process.exe
PID 3608 wrote to memory of 3040	3608	GamesManager.exe	awesomium_process.exe
PID 3608 wrote to memory of 3376	3608	GamesManager.exe	iWinInstaller.exe
PID 3608 wrote to memory of 3376	3608	GamesManager.exe	iWinInstaller.exe
PID 3608 wrote to memory of 3376	3608	GamesManager.exe	iWinInstaller.exe
PID 3376 wrote to memory of 2188	3376	iWinInstaller.exe	preinstall-options.exe
PID 3376 wrote to memory of 2188	3376	iWinInstaller.exe	preinstall-options.exe
PID 3376 wrote to memory of 2188	3376	iWinInstaller.exe	preinstall-options.exe
PID 3376 wrote to memory of 2628	3376	iWinInstaller.exe	5498689878578615106.exe
PID 3376 wrote to memory of 2628	3376	iWinInstaller.exe	5498689878578615106.exe
PID 3376 wrote to memory of 2628	3376	iWinInstaller.exe	5498689878578615106.exe
PID 2628 wrote to memory of 3632	2628	5498689878578615106.exe	iWinInstallOptions.exe
PID 2628 wrote to memory of 3632	2628	5498689878578615106.exe	iWinInstallOptions.exe
PID 2628 wrote to memory of 3632	2628	5498689878578615106.exe	iWinInstallOptions.exe
PID 3608 wrote to memory of 3964	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 3964	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 3964	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 1380	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 1380	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 1380	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 4788	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 4788	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 4788	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 2776	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 2776	3608	GamesManager.exe	GLWorker.exe
PID 3608 wrote to memory of 2776	3608	GamesManager.exe	GLWorker.exe

C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe
  C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
  "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.iwinrequest=PF/5498689878578615106/5498689883522729028/13/0 -config.channel=110341560
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
    "C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --user-agent="NextDM/2.16.2.1015 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.16.2.1015 110341560 WinVer/6.2 [x64]" --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" --lang --channel=3608.02E62C80.1361212461 /prefetch:3
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4452
- - C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
    "C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=gpu-process --channel=3608.02EF4CD0.985214649 --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" /prefetch:12
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3040
- - C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
    "C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe" -gmregcopysrc="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregcopydest="HKEY_CURRENT_USER\Software\IplayArcade" -gmregcopylocalmachinedest="HKEY_LOCAL_MACHINE\Software\IplayArcade" -gmregisiwin=true -gmchannelcode=110341560 -game.sku="5498689878578615106" -game.name="Country Tales" -gmregcopyvirtual=HKU\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade -gmreg="Software\IplayArcade" -gmexe="IplayGames.exe" -gmregkey="Install_Dir" -installer="C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" -preinstallurl="http://gm-iplay.iwin.com/dl/preinstall-options.exe" -gamestring=5498689878578615106 -config.installRoot="c:\games\Iplay Games" -gmInstallRootRegKey="HKEY_CURRENT_USER\Software\iWinArcade\installRoot"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
      "C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=5498689878578615106 /S
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2188
  - - C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
      "C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" /S
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe" /S
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3632
- - \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
    "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- - \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
    "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
    "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
    "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2776

C:\Program Files (x86)\GMInstaller\ugm_installer.exe
"C:\Program Files (x86)\GMInstaller\ugm_installer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x474 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000001

Filesize
248KB

MD5
e2ff9e87912d08576c7f26a8014b2525

SHA1
026136afd27657e7edead2f12310275af249caac

SHA256
5e663896f40416a2d5f159e0433dbc9019dbe9d05abb34c1f3a5b38a88b5c03a

SHA512
7b4dfe37205909f2f14669c965821a91daba8be383ce83d119fde5d290bc938eeaf0c70e9d27998f00dc6cdca0d0c0b1b2bbdc13ac2662fc4e766919e092e1d9

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000002

Filesize
36KB

MD5
ae0a675e3e15e28aab8246028df16236

SHA1
772b2587aa2fa345fb760eff9ebe5acd97937243

SHA256
49f14bad610f40f0ae76a33c55ef89a1e694219bab49b1b99cb53d754774c0fc

SHA512
21723efa6aaa2fa599b42c1480c380c24f9aaf14755e82e88054e80713454408bfb047ba77d921d71573d2319f14f134938f3401aa3b92b756670b7c99892caa

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000003

Filesize
51KB

MD5
a959af924d21c7b788fe197caf03fc40

SHA1
21733827a5501133619b8ac4533201267d1afa3f

SHA256
4d191ea72953f5806161c3c16ae8e4bb629b47156481bd074acfa5db08000016

SHA512
1fa28a7fe716b328fc43b3e8993875977a2e9f39fd02dfce313d27021403ddfaf7f19c7607bf1350c4c2f05a38170d3621ed33cc60f8b38fb9d1dbda63b120e7

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000004

Filesize
242KB

MD5
7fd8ffea25728006bfddf7e6c7c122cd

SHA1
e3049e9f8a643b8b2cfd2ca5e6ab8bfd483efe99

SHA256
0a6c4c4db171663b9b1c533a4dd6938e22cb4d5b9607d0ca92a20c1354018b49

SHA512
477467568f8c24772fd83680db1e9750c7e377cb706c0fa734e9c8b1bc847cf9a60f4be444044bdbfa4cdb9cb4352f86edd1ea70bdcd86a20b361f9acb2cd58f

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000005

Filesize
58KB

MD5
8c81fab58b8ed37b527b16a37a8065c3

SHA1
5d3d58f8833d9975d6dd5e7153b22a936f2f76bd

SHA256
74d4acb9d62968980f8a096977e3bf42c1ccffb0c7501a7fff1a0ba589b56bd7

SHA512
e99c9eae7718c4154bc2895431261e1ac3cafda565d85474876be004063742d84af1c20f970dd1f30c9c5acbb00d3e7357f7a13376730cbd987a24dcc4086699

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000006

Filesize
16KB

MD5
032f7a630c11189923cae95fb0fa6892

SHA1
74dddaa937b077fb98b584b20e1a3e3ad1bee422

SHA256
b0b84f6aca649b3b9131799ed0983e03b113497df4f33e30a3389ee1b34687ee

SHA512
e24c5a9dfd1f6fcd07dea0b3723a0794fe27042c2f52d0b869e8224ed0a442e73e24d265103ba2f11783b8c408f9724ba11ef76a1e3330ee3b78156ebad406bf

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000007

Filesize
63KB

MD5
962bf963a37a6d84fe7fb552763dc094

SHA1
cac681467dac917122dd9b57bd9a78781549a523

SHA256
2f49797d196f00bb331663ac1564c775d65ed1bfb508aec9e4c3b6fc89bb4dc0

SHA512
e378da6a0d29f91eb5a0de3876fda0cc1b5a6e6632f5ddf0d45fcc909084aad70bd99b97a29df15d271593701bd77a92766a1f091540dc3cdf699c9d831b6192

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000008

Filesize
21KB

MD5
5cc4154e0c0dac8dfeea73c07ccdc83e

SHA1
5d2d995d51b8855d1e1e43b85d8b5a9d22b796ad

SHA256
12d5f1be9a764164f4cc6e7dda726c4ea3d19ea79382d28c75b0dea862608968

SHA512
1112959cfecc25efae799b566dff24f7bfafc60ddd8974ce0cdd653ee834a57090d9f78e2773ad9a826e0ba6e1487c49e1ef957c34385c262914f09ea8b26157

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000009

Filesize
48KB

MD5
b41c0b75a60eab42145e9d0b17408b0b

SHA1
0f3151c6c22834079b55fcea9d873c0184b3fd7c

SHA256
209dc679252feca2725cafb6e8fc314f2618bd748db846be6b4e0ca71c55a330

SHA512
f728be6cb869a6279a6ba1d85865c510c6f9905a04226a25965b7b5eb0feadbaf4364f4508b08292eb597b2a9fe14af4e6fa8a9eb56f4e704108dc09e862edbe

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000a

Filesize
39KB

MD5
4e5d5ff08a7703b746695ec19bf96b88

SHA1
3496f9b943d53c957ed8481e3e2cd1ecc0decb4e

SHA256
3e05db9eae5443e2b629ae73496a7872602094fcf63d11eb5d99e63911c89d1e

SHA512
cabe3907ea165502d90b847642cbc4be99108b6eb18ad251f2acfe988131b2ed12fab8516e374c5e2a19b10c9df9c9ed3252cbffb7cd0c0fb9dcd258e2f4bb31

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000b

Filesize
151KB

MD5
0128fb0696c3dd27adc2286988bf9042

SHA1
343db277048078eb9a12b76b8f482aae5d9e7ac2

SHA256
13bf19f7b084c49a6ef22dee10328411f4764e765209956bc1d01c8120cdacdb

SHA512
173b2bd5cdf252380286622fcb9ebd72c361788fcd00a04274dc330f7d20cc152cc29506bd5d03768518bab23053ec98c0ae522fe600987a479a15279d72acbd

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000c

Filesize
66KB

MD5
201f988a9071a4a4a3d188bdecda38f5

SHA1
4ad903f73ee31f12b1c9e4c820439273cbc92727

SHA256
53c53364808c175a6038f9d0aae8fe3d1f5ce3cf87d5e9fa08f603d845633b37

SHA512
d9af07915a589ee48b08a1b8880d88d6215438292f4a227cbc809086c2dbd5735713c0929758359a8f3391dae746cd9b9de7885d5af560698a21be7d9f5bc025

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000d

Filesize
77KB

MD5
516a9c398435f4e0e519d13091892fca

SHA1
c1a8a3747fed87cf8699c18b6f80f5369e207908

SHA256
de5c4e5ba7b850bbe5d35de5b20f4fd875be1f77ef73f7431172d1e0f6496dc6

SHA512
b79eab3e4abc5bd164d27f282a9913ad0c82bdbcb028be5137b77a429e6384e715d05a90014c23298152d2fe3ad2f90309ca028727ed9750cf29fd55b6d75302

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000e

Filesize
39KB

MD5
4d0d60167bc23a412bcd8880d59e13d8

SHA1
cfbf2a6ed97ed0a30c571d2bbd6eb60731eaea27

SHA256
cd299b9251186ebf3bb0e928e4f710b3b542f0cde01bea6832cbada49138a85d

SHA512
6d56d41161bbe491a8f847ae3782e283a61d40d499d91fa6ef82ea845b347b8337b84e69024828dcbbf884b167afca67bdd67c7593a1a90950bab6fbdbb8eeba

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000f

Filesize
46KB

MD5
b6438c9bc90d3e87381b574cdf17ae97

SHA1
86051ff3f018c1a475162597dab27079eef2ec7a

SHA256
a6db907a7ac399d7e920de4ac4b4a92808542039ba32dc6758637bffb413d56d

SHA512
c4d56c8880d5c27085cf64531d2620f84c950107fdda28986eb0bb4d2ce1b4a90f0d890b72f60b48ef2637b3dab7fd99ccf1f507c949ce5f66b52f756c3c6fe6

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000010

Filesize
246KB

MD5
af693f9aea7dae36fb3bef4c9b6e56fb

SHA1
0d7896e2bb23f88e26e52b22a075350b354df447

SHA256
1717ea1fde8ceb7584341a24efc85c853083c660a1185968fbf94520f7193de2

SHA512
11cad7c40e29808104a9b84cfe2f4f1aa80f4ad06a07fd1379c64818fe869c6b6036af36f4dd3304e19b612141e9cf7b04e11c7a38a721ad03c067d9c07b266a

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000011

Filesize
25KB

MD5
3c4b51f57a2ff4369261b845d84ca1ea

SHA1
3bb9a2f72d5fa0a9c4140ab74212d4cdd25fa323

SHA256
379bc709031d0e429a41012efd921210bcfd409ecaabe35257a3716032eb99a3

SHA512
81d0120f63e30cc5b31fc98af2caf75cd836defedf08a1918b019a4bd7fdc9746340ef81f7ead84299d6eceb3812a6edc79481344dd7ef19d7af572b1f2bac3d

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000012

Filesize
82KB

MD5
5ce0a99458a2c7f2c0a6f3eb1a03d1d5

SHA1
6b3fdc4185f603a0948d2e8b7bc818763d7e2668

SHA256
6c5c0a29044c5aeec37211b18908acd0576b9dabc9d6fe95c8066cdc55146c0f

SHA512
5939d60a40f729b7ea19d6c9c1d264d7a174c6436748ea8c9619e7a20c1f1d4889f7e9b4cd017a889c985e9d2fd272e01d3e03d6b97325b2e8de5f3f9e1f2d67

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000013

Filesize
581KB

MD5
107a4b9f1d95df5b969cced5c7248ded

SHA1
9341318acb76e81987277b335656f6d265066691

SHA256
295eac26825508b5f37f27c69b99d426582fe80752f636c69f1795be8f5d5ea4

SHA512
36c22b62a0377831b37ecc4f34b6912842bc57c2f9351548d1ba120ca2c9abaca709cd40046abc06d4b77694cbf1977b8f5d7ce899653f130ac697402e127857

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000014

Filesize
160KB

MD5
7776d481997157e93d96f8589c3ae050

SHA1
13007e647ea91299b5aaaf7fc03a30bb65c38cd0

SHA256
74cd4d1f792e1200fd426048b53970c4eaeb5e5c1c789d034bffdff68167b3be

SHA512
12401e53282bcb20f6287f73b0d51c1c018cb0013df2d03e7d719eaa9e7fe952b9252c22445b67acdd78696f7b464045aed14f6e795922680fe733a0084a6217

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000015

Filesize
238KB

MD5
112aef1f1740c497873762c576ba91ec

SHA1
63de6bd3e38f536213dddddb20c5cb61c232078f

SHA256
7f6a44eb7632c2cb6f990ede10a58c2cc3fb923bae1761f1be8e2a9ea3847b78

SHA512
9b3f9e5b4f911e0fc8404e89a68e308b14b4d2470d8358f95991d04abbc5ee04e3d93255deba720d3589f278938cf92710cc4f38f6b26c778d82d4680da89fbb

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000016

Filesize
620KB

MD5
5a52b3c4658c45fa0d16f1b245cba28d

SHA1
1066afce3c4ca00ca7f61c628f6ba4a615b50c4f

SHA256
f148af9bffe215b1396117bb04aeb9f35fc82f346999a767a363198e9878ceae

SHA512
08ed56e8ef57a87bc84cc82355fbb9b5742a3a3218c5bf27369d2fc7d71d5c740af8c8830a85af3544ae5f2e96f59c9a0267a512a5c009c3e03683a3ef5f85bd

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\Cache\index

Filesize
512KB

MD5
8800ca4ae711869652e8e191a949d5cf

SHA1
e911075e12d830dd02acfb2f0b2f08311fae618f

SHA256
777aa3731f9ff596fadb43ad560f7248509341681741332531a5450b7694dc78

SHA512
daa26ecf10d3d0f26852a198116e56485232e6098c778f9e02ef43a222027d0e3366a8a44f2a5cb26175efc7f54f1839a1cff5607dad756d8e6ddf343e1dca11

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

Filesize
379KB

MD5
11e4b4414b6271b8f8c45511f97d4e5a

SHA1
65ee25560144d22bf7f8bce3b8742a856a8ee6d1

SHA256
db67ca3cf89a6fccd13aa21207e279c3fd3c7bcaf181c65ecfc18cf2da289eb3

SHA512
68e8bce33cfc588f800f486f51c8a1e27b12e58af336946102d61a451341eee875b4cbb2a4203f3cade174b21f9e74cd82d15988abb107564c87c2e3bd088c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi581F.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB210.tmp\StdUtils.dll

Filesize
26KB

MD5
c291f96471927e7bc49398b0de7168dd

SHA1
eda478005d69ee86126a8378de5007b139e20a5d

SHA256
c169393e49723cfdcdcbcf80e062be9e841539f90e4b7b85b482212715a1f7c6

SHA512
b4244615e99617d437d3120f201ca88c7ab4a6b4b84e7f0c3b4495a0fe8c979e04feaa08f11ad14fa92f002a3a521422221132ff54a081ef1c6bcbdf09d5929d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB210.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCFBB.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\NSISdl.dll

Filesize
14KB

MD5
9c90c746adae5171c52b932080113331

SHA1
2eb66e61ad38a33aa6e6c245e84e0a78dfcc5460

SHA256
5b7be83ff4f023eba8d2d7ab972b067a904adc71f56a50cb367619cd116d0e92

SHA512
fca06b4b39fdd76002487a4f9a454bec5507b2355a0e4e2dfe044e2def52bbd01aa5d2a0077703f7b8814b248743fac2b84fd37f611e04281f7e5c428e245565

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\System.dll

Filesize
11KB

MD5
c6f5b9596db45ce43f14b64e0fbcf552

SHA1
665a2207a643726602dc3e845e39435868dddabc

SHA256
4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0

SHA512
8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

Filesize
77KB

MD5
455171a0d8585480d318102d13ca1faf

SHA1
16263b90994f2882ae03d8d190dca0df1204c0a2

SHA256
626953268197dacf5491197a3c4c60b4f2a14c3e878efb640eb48f34c9b23e31

SHA512
8961af0da23f63f5f4fa258bc6532e7ba95ffcdfed71ab813fa0715696b70452f4ef127ed08391edf22dd1fe01e38ee1921551ecba9bb5a79ef18d44ca16d11d

Download Submit
C:\games\Iplay Games\Country Tales\cpromo\games\brawe\logo.tex

Filesize
166B

MD5
81de96307f568c5e50da13b9751e65ae

SHA1
4e01b95dee60b1bcc74384f6ca8ab36538b087b3

SHA256
6d52c4e2664c8d1465ebe769535e747b0770d257cde8d0b23caee024554bc895

SHA512
7d1da1cd6f39970d4e5ca9127051e1072cfaeb78cf504dba2c1f5578e216d1fed9a513943e82b4ab344b4ed8bd84a829e6ed49d43601a6019af7ed6be9e4c95d

Download Submit
C:\games\Iplay Games\Country Tales\cpromo\games\brawe\priority.cfg

Filesize
125B

MD5
39747ea0539ca7a983e27ad38a7feef9

SHA1
de1d226c21dcefbac496b1c1c2a04aec5a7f1c6c

SHA256
200abc16639b302d5ad0954412decbf85afb6373ce0bef661371860b36f443ca

SHA512
8bf6e2c9262e0bd9e445a6263bcf71837d7b8ce955a11f5ce808cacf9c27eb8e2eb5d27629db87f89132fc00117b91b32a80309a566b98909d505b61e7aca69c

Download Submit
C:\games\Iplay Games\Country Tales\cpromo\games\brawe\thumbnail.tex

Filesize
169B

MD5
1dbce5bd17261f01d55f0e1ce678a5be

SHA1
7c957dd1cb44998773a7dfc9478b35c6ebca08d5

SHA256
b4e17d88af6c99f9728c50b486cc89fe85e45f80401a56ae226a91f4d6e1d6ee

SHA512
b141578334718b5cae23658a4f4129a99452239f1666707bed98f3325fc97adf2da7bbc4c1b91b1c7cf05cbd7efee9fc778dd4350f68be7a6e021c4bae87a7c0

Download Submit
C:\games\Iplay Games\Country Tales\cpromo\system\texts\fr\cpromo-facebook.loc

Filesize
305B

MD5
e4f35d2a9354e2988e31664dadfdc4ba

SHA1
68c41d8047951070a3077e0ad7205cd7d1f570b9

SHA256
1645a49aefec74dacb34d70834510ef429a53f22891214e12967d9febc6e4cf4

SHA512
f426e9670a46cab2a54b09cb328bda010732afd3d7b5febd047498cb5a8bd050b563787d403634784de62abaa7fc63c055aa4157749438d3cf06ce0f04f04309

Download Submit
memory/1380-2569-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2776-2607-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3964-2534-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3964-2550-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4452-1078-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1071-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1079-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1081-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1076-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1075-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1074-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1073-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1072-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1070-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1069-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1068-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1067-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1066-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1064-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1063-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1062-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1061-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1060-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1059-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1058-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1056-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1055-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1054-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1077-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1080-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1065-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1057-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1053-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1082-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1107-0x0000000071AD0000-0x0000000071AF7000-memory.dmp

Filesize
156KB

Download
memory/4452-1108-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1106-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1109-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4452-1175-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1174-0x0000000071AD0000-0x0000000071AF7000-memory.dmp

Filesize
156KB

Download
memory/4452-1173-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1083-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1084-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1086-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1087-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1088-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1089-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1090-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1091-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1092-0x0000000071A90000-0x0000000071AC3000-memory.dmp

Filesize
204KB

Download
memory/4452-1085-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1052-0x0000000071B00000-0x0000000071CB2000-memory.dmp

Filesize
1.7MB

Download
memory/4452-1047-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/4788-2588-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download