Malware Analysis Report

2024-10-16 03:31

Sample ID 240920-1jq79szapg
Target ee79991defde27b1bbc6713c57861d6c_JaffaCakes118
SHA256 69f8183bfcc99d9a80f9c9aba0aea150b134885f4b7898915a652249e9e03167
Tags
banload discovery downloader dropper evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69f8183bfcc99d9a80f9c9aba0aea150b134885f4b7898915a652249e9e03167

Threat Level: Known bad

The file ee79991defde27b1bbc6713c57861d6c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion spyware stealer trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks installed software on the system

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Modifies registry class

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-20 21:41

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-20 21:41

Reported

2024-09-20 21:43

Platform

win7-20240729-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\ C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\iWinArcade\installRoot = "c:\\games\\Iplay Games" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\iWinArcade C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQu}JDChQgM" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D} \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\ibfux = "HBCaEiDnOpbUtmVyvmuVSO@XkZ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQt]JDChQgW" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\dmxcLv = "NgSP" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\epjqsaiiMfq = "w`ow}TscPUEgqYmct^Xq@" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQtIJDChQS^" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\mokfrjfu = "LS~g\x7fCSx}YNxqW~a|~}" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\epjqsaiiMfq = "JEPdV]mpKKvC_WMfGzD\\h" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\mqpB = "`xfw@\x7fbPbKSMVu^iFeIiyXXuqTOkY[Qa" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\apvk = "WkAz^Neg~G`xb_UA`pEeriAp~" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\apvk = "WkAz^Neg~G`xb_UA`pEeriAp~" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQtUJDChQWS" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\knwdiiw = "_iVBICl\x7fLuly{zOhf`\x7fS~zO" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\dmxcLv = "[gp`" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\mqpB = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MGyI" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\dmxcLv = "[Ql`" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\edqxvvGgt = "\\qeJUTb[\x7fL{OAIRKBhRT" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\dmxcLv = "kG\\@" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQtiJDChQcX" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\dmxcLv = "Aj\x7f@" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\mokfrjfu = "LS~g\x7fCSx}YNxqW~a|~}" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\dmxcLv = "\\\\yP" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\knwdiiw = "gg}ElASTt^[Uhq^VXIt@WvL" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\dmxcLv = "yZPp" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\ibfux = "HBCaEiDnOpbUtmVyvmuVSO@XkZ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\dmxcLv = "y|v@" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\edqxvvGgt = "k\x7fzOkg[cDUySshWH`NoO" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\rpVhvdGXV = "D\x7fuuEy`bTuJpDpMHAvDkxzSTUaoH" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\SkuID = "5498689883513643322" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\dmxcLv = "FAL@" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649} \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\knwdiiw = "_iVBICl\x7fLuly{zOhf`\x7fS~zO" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\apvk = "SSSY[Mdk@LQuGOpCjmvtdTaHJ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\knwdiiw = "gg}ElASTt^[Uhq^VXIt@WvL" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\edqxvvGgt = "\\qejUTb[\x7fL{oAIRKBhRT" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\ibfux = "HBCaEiDnOpbUtmVyvmuVSO@XkZ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\epjqsaiiMfq = "JEPdV]mpKKvC_WMfGzD\\h" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameID = "5498689878578615106" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocHandler32\ = "ole32.dll" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\knwdiiw = "gg}ElASTt^[Uhq^VXIt@WvL" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\rpVhvdGXV = "D\x7fuuEy`bTuJpDpMHAvDk|zSTUaCJ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\dmxcLv = "Fgjp" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\rpVhvdGXV = "D\x7fuuEy`bTuJpDpMHAvDkTzSTUaCZ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\mokfrjfu = "LS~g\x7fCSx}YNxqW~a|~}" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\IplayArcade C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\YahooArcade C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\ = "Outlook Office Explorer" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQtaJDChQSN" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\mqpB = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MGyI" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameName = "Country Tales" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQteJDChQ\x7fL" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\dmxcLv = "\\z_`" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\rpVhvdGXV = "D\x7fuuEy`bTuJpDpMHAvDklzSTUa[A" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\rpVhvdGXV = "YSJ\x7fg^Otx[|CxSpaOLQtAJDChQs}" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameExe = "GameLauncher.exe" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\mqpB = "`xfw@\x7fbPbKSMVu^iFeIiyXXuqTOkY[Qa" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\mokfrjfu = "uvZ]TziJxrIzozoKiTc" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{8AD15D97-D746-13D1-B2E4-0060975B8649}\mokfrjfu = "uvZ]TziJxrIzozoKiTc" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\rpVhvdGXV = "D\x7fuuEy`bTuJpDpMHAvDk\\zSTUasL" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe
PID 2756 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe
PID 2756 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe
PID 2756 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe
PID 2756 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe
PID 2756 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe
PID 2756 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe
PID 2756 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 2756 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 2756 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 2756 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 1864 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1864 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1864 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1864 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1864 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1864 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1864 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1864 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 2588 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2588 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2588 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2588 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2588 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2588 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2588 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2588 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
PID 2588 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
PID 2588 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
PID 2588 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
PID 740 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe
PID 740 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe
PID 740 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe
PID 740 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe
PID 740 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe
PID 740 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe
PID 740 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe
PID 1864 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe

C:\Users\Admin\AppData\Local\Temp\nseFBED.tmp\GamesManagerInstaller.exe

C:\Program Files (x86)\GMInstaller\ugm_installer.exe

"C:\Program Files (x86)\GMInstaller\ugm_installer.exe"

C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe

"C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.iwinrequest=PF/5498689878578615106/5498689883522729028/13/0 -config.channel=110341560

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --user-agent="NextDM/2.16.2.1015 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.16.2.1015 110341560 WinVer/6.1 [x64]" --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" --lang --channel=1864.00A61C80.1665743929 /prefetch:3

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=gpu-process --channel=1864.00B00640.317220199 --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" /prefetch:12

C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe

"C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe" -gmregcopysrc="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregcopydest="HKEY_CURRENT_USER\Software\IplayArcade" -gmregcopylocalmachinedest="HKEY_LOCAL_MACHINE\Software\IplayArcade" -gmregisiwin=true -gmchannelcode=110341560 -game.sku="5498689878578615106" -game.name="Country Tales" -gmregcopyvirtual=HKU\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade -gmreg="Software\IplayArcade" -gmexe="IplayGames.exe" -gmregkey="Install_Dir" -installer="C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" -preinstallurl="http://gm-iplay.iwin.com/dl/preinstall-options.exe" -gamestring=5498689878578615106 -config.installRoot="c:\games\Iplay Games" -gmInstallRootRegKey="HKEY_CURRENT_USER\Software\iWinArcade\installRoot"

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

"C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=5498689878578615106 /S

C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe

"C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" /S

C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe

"C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\iWinInstallOptions.exe" /S

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp
GB 13.224.245.78:80 dl.iwin.com tcp
US 8.8.8.8:53 static.iwincdn.com udp
FR 68.232.35.54:80 static.iwincdn.com tcp
US 8.8.8.8:53 gm-iplay.iwin.com udp
US 34.225.51.228:80 gm-iplay.iwin.com tcp
US 8.8.8.8:53 fea.iwincdn.com udp
FR 68.232.35.54:80 fea.iwincdn.com tcp
GB 216.58.201.104:80 www.googletagmanager.com tcp
US 8.8.8.8:53 cimg.iwin.com udp
US 8.8.8.8:53 ws-iplay.iwin.com udp
US 34.225.51.228:80 ws-iplay.iwin.com tcp
GB 143.204.68.16:80 cimg.iwin.com tcp
US 8.8.8.8:53 download.iwincdn.com udp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.35:80 o.pki.goog tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 gm-iplay.iwin.com udp
US 52.203.24.150:80 gm-iplay.iwin.com tcp
GB 13.224.245.88:80 dl.iwin.com tcp
US 8.8.8.8:53 ws-iplay.iwin.com udp
US 34.225.51.228:80 ws-iplay.iwin.com tcp

Files

\Users\Admin\AppData\Local\Temp\nseFBED.tmp\System.dll

MD5 c6f5b9596db45ce43f14b64e0fbcf552
SHA1 665a2207a643726602dc3e845e39435868dddabc
SHA256 4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
SHA512 8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

\Users\Admin\AppData\Local\Temp\nseFBED.tmp\NSISdl.dll

MD5 9c90c746adae5171c52b932080113331
SHA1 2eb66e61ad38a33aa6e6c245e84e0a78dfcc5460
SHA256 5b7be83ff4f023eba8d2d7ab972b067a904adc71f56a50cb367619cd116d0e92
SHA512 fca06b4b39fdd76002487a4f9a454bec5507b2355a0e4e2dfe044e2def52bbd01aa5d2a0077703f7b8814b248743fac2b84fd37f611e04281f7e5c428e245565

C:\Users\Admin\AppData\Local\Temp\nsj21D4.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nsj21D4.tmp\StdUtils.dll

MD5 c291f96471927e7bc49398b0de7168dd
SHA1 eda478005d69ee86126a8378de5007b139e20a5d
SHA256 c169393e49723cfdcdcbcf80e062be9e841539f90e4b7b85b482212715a1f7c6
SHA512 b4244615e99617d437d3120f201ca88c7ab4a6b4b84e7f0c3b4495a0fe8c979e04feaa08f11ad14fa92f002a3a521422221132ff54a081ef1c6bcbdf09d5929d

memory/2832-31-0x00000000006D0000-0x00000000006D2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj3AD1.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

MD5 11e4b4414b6271b8f8c45511f97d4e5a
SHA1 65ee25560144d22bf7f8bce3b8742a856a8ee6d1
SHA256 db67ca3cf89a6fccd13aa21207e279c3fd3c7bcaf181c65ecfc18cf2da289eb3
SHA512 68e8bce33cfc588f800f486f51c8a1e27b12e58af336946102d61a451341eee875b4cbb2a4203f3cade174b21f9e74cd82d15988abb107564c87c2e3bd088c58

memory/1864-923-0x0000000000130000-0x0000000000142000-memory.dmp

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000001

MD5 e2ff9e87912d08576c7f26a8014b2525
SHA1 026136afd27657e7edead2f12310275af249caac
SHA256 5e663896f40416a2d5f159e0433dbc9019dbe9d05abb34c1f3a5b38a88b5c03a
SHA512 7b4dfe37205909f2f14669c965821a91daba8be383ce83d119fde5d290bc938eeaf0c70e9d27998f00dc6cdca0d0c0b1b2bbdc13ac2662fc4e766919e092e1d9

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000002

MD5 ae0a675e3e15e28aab8246028df16236
SHA1 772b2587aa2fa345fb760eff9ebe5acd97937243
SHA256 49f14bad610f40f0ae76a33c55ef89a1e694219bab49b1b99cb53d754774c0fc
SHA512 21723efa6aaa2fa599b42c1480c380c24f9aaf14755e82e88054e80713454408bfb047ba77d921d71573d2319f14f134938f3401aa3b92b756670b7c99892caa

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000003

MD5 a959af924d21c7b788fe197caf03fc40
SHA1 21733827a5501133619b8ac4533201267d1afa3f
SHA256 4d191ea72953f5806161c3c16ae8e4bb629b47156481bd074acfa5db08000016
SHA512 1fa28a7fe716b328fc43b3e8993875977a2e9f39fd02dfce313d27021403ddfaf7f19c7607bf1350c4c2f05a38170d3621ed33cc60f8b38fb9d1dbda63b120e7

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000004

MD5 7fd8ffea25728006bfddf7e6c7c122cd
SHA1 e3049e9f8a643b8b2cfd2ca5e6ab8bfd483efe99
SHA256 0a6c4c4db171663b9b1c533a4dd6938e22cb4d5b9607d0ca92a20c1354018b49
SHA512 477467568f8c24772fd83680db1e9750c7e377cb706c0fa734e9c8b1bc847cf9a60f4be444044bdbfa4cdb9cb4352f86edd1ea70bdcd86a20b361f9acb2cd58f

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000005

MD5 8c81fab58b8ed37b527b16a37a8065c3
SHA1 5d3d58f8833d9975d6dd5e7153b22a936f2f76bd
SHA256 74d4acb9d62968980f8a096977e3bf42c1ccffb0c7501a7fff1a0ba589b56bd7
SHA512 e99c9eae7718c4154bc2895431261e1ac3cafda565d85474876be004063742d84af1c20f970dd1f30c9c5acbb00d3e7357f7a13376730cbd987a24dcc4086699

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000006

MD5 032f7a630c11189923cae95fb0fa6892
SHA1 74dddaa937b077fb98b584b20e1a3e3ad1bee422
SHA256 b0b84f6aca649b3b9131799ed0983e03b113497df4f33e30a3389ee1b34687ee
SHA512 e24c5a9dfd1f6fcd07dea0b3723a0794fe27042c2f52d0b869e8224ed0a442e73e24d265103ba2f11783b8c408f9724ba11ef76a1e3330ee3b78156ebad406bf

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000007

MD5 962bf963a37a6d84fe7fb552763dc094
SHA1 cac681467dac917122dd9b57bd9a78781549a523
SHA256 2f49797d196f00bb331663ac1564c775d65ed1bfb508aec9e4c3b6fc89bb4dc0
SHA512 e378da6a0d29f91eb5a0de3876fda0cc1b5a6e6632f5ddf0d45fcc909084aad70bd99b97a29df15d271593701bd77a92766a1f091540dc3cdf699c9d831b6192

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000008

MD5 5cc4154e0c0dac8dfeea73c07ccdc83e
SHA1 5d2d995d51b8855d1e1e43b85d8b5a9d22b796ad
SHA256 12d5f1be9a764164f4cc6e7dda726c4ea3d19ea79382d28c75b0dea862608968
SHA512 1112959cfecc25efae799b566dff24f7bfafc60ddd8974ce0cdd653ee834a57090d9f78e2773ad9a826e0ba6e1487c49e1ef957c34385c262914f09ea8b26157

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000009

MD5 b41c0b75a60eab42145e9d0b17408b0b
SHA1 0f3151c6c22834079b55fcea9d873c0184b3fd7c
SHA256 209dc679252feca2725cafb6e8fc314f2618bd748db846be6b4e0ca71c55a330
SHA512 f728be6cb869a6279a6ba1d85865c510c6f9905a04226a25965b7b5eb0feadbaf4364f4508b08292eb597b2a9fe14af4e6fa8a9eb56f4e704108dc09e862edbe

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000a

MD5 4e5d5ff08a7703b746695ec19bf96b88
SHA1 3496f9b943d53c957ed8481e3e2cd1ecc0decb4e
SHA256 3e05db9eae5443e2b629ae73496a7872602094fcf63d11eb5d99e63911c89d1e
SHA512 cabe3907ea165502d90b847642cbc4be99108b6eb18ad251f2acfe988131b2ed12fab8516e374c5e2a19b10c9df9c9ed3252cbffb7cd0c0fb9dcd258e2f4bb31

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000b

MD5 0128fb0696c3dd27adc2286988bf9042
SHA1 343db277048078eb9a12b76b8f482aae5d9e7ac2
SHA256 13bf19f7b084c49a6ef22dee10328411f4764e765209956bc1d01c8120cdacdb
SHA512 173b2bd5cdf252380286622fcb9ebd72c361788fcd00a04274dc330f7d20cc152cc29506bd5d03768518bab23053ec98c0ae522fe600987a479a15279d72acbd

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000c

MD5 201f988a9071a4a4a3d188bdecda38f5
SHA1 4ad903f73ee31f12b1c9e4c820439273cbc92727
SHA256 53c53364808c175a6038f9d0aae8fe3d1f5ce3cf87d5e9fa08f603d845633b37
SHA512 d9af07915a589ee48b08a1b8880d88d6215438292f4a227cbc809086c2dbd5735713c0929758359a8f3391dae746cd9b9de7885d5af560698a21be7d9f5bc025

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000d

MD5 516a9c398435f4e0e519d13091892fca
SHA1 c1a8a3747fed87cf8699c18b6f80f5369e207908
SHA256 de5c4e5ba7b850bbe5d35de5b20f4fd875be1f77ef73f7431172d1e0f6496dc6
SHA512 b79eab3e4abc5bd164d27f282a9913ad0c82bdbcb028be5137b77a429e6384e715d05a90014c23298152d2fe3ad2f90309ca028727ed9750cf29fd55b6d75302

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000e

MD5 4d0d60167bc23a412bcd8880d59e13d8
SHA1 cfbf2a6ed97ed0a30c571d2bbd6eb60731eaea27
SHA256 cd299b9251186ebf3bb0e928e4f710b3b542f0cde01bea6832cbada49138a85d
SHA512 6d56d41161bbe491a8f847ae3782e283a61d40d499d91fa6ef82ea845b347b8337b84e69024828dcbbf884b167afca67bdd67c7593a1a90950bab6fbdbb8eeba

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000f

MD5 b6438c9bc90d3e87381b574cdf17ae97
SHA1 86051ff3f018c1a475162597dab27079eef2ec7a
SHA256 a6db907a7ac399d7e920de4ac4b4a92808542039ba32dc6758637bffb413d56d
SHA512 c4d56c8880d5c27085cf64531d2620f84c950107fdda28986eb0bb4d2ce1b4a90f0d890b72f60b48ef2637b3dab7fd99ccf1f507c949ce5f66b52f756c3c6fe6

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000010

MD5 af693f9aea7dae36fb3bef4c9b6e56fb
SHA1 0d7896e2bb23f88e26e52b22a075350b354df447
SHA256 1717ea1fde8ceb7584341a24efc85c853083c660a1185968fbf94520f7193de2
SHA512 11cad7c40e29808104a9b84cfe2f4f1aa80f4ad06a07fd1379c64818fe869c6b6036af36f4dd3304e19b612141e9cf7b04e11c7a38a721ad03c067d9c07b266a

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000011

MD5 3c4b51f57a2ff4369261b845d84ca1ea
SHA1 3bb9a2f72d5fa0a9c4140ab74212d4cdd25fa323
SHA256 379bc709031d0e429a41012efd921210bcfd409ecaabe35257a3716032eb99a3
SHA512 81d0120f63e30cc5b31fc98af2caf75cd836defedf08a1918b019a4bd7fdc9746340ef81f7ead84299d6eceb3812a6edc79481344dd7ef19d7af572b1f2bac3d

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000012

MD5 5ce0a99458a2c7f2c0a6f3eb1a03d1d5
SHA1 6b3fdc4185f603a0948d2e8b7bc818763d7e2668
SHA256 6c5c0a29044c5aeec37211b18908acd0576b9dabc9d6fe95c8066cdc55146c0f
SHA512 5939d60a40f729b7ea19d6c9c1d264d7a174c6436748ea8c9619e7a20c1f1d4889f7e9b4cd017a889c985e9d2fd272e01d3e03d6b97325b2e8de5f3f9e1f2d67

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000013

MD5 107a4b9f1d95df5b969cced5c7248ded
SHA1 9341318acb76e81987277b335656f6d265066691
SHA256 295eac26825508b5f37f27c69b99d426582fe80752f636c69f1795be8f5d5ea4
SHA512 36c22b62a0377831b37ecc4f34b6912842bc57c2f9351548d1ba120ca2c9abaca709cd40046abc06d4b77694cbf1977b8f5d7ce899653f130ac697402e127857

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000014

MD5 7776d481997157e93d96f8589c3ae050
SHA1 13007e647ea91299b5aaaf7fc03a30bb65c38cd0
SHA256 74cd4d1f792e1200fd426048b53970c4eaeb5e5c1c789d034bffdff68167b3be
SHA512 12401e53282bcb20f6287f73b0d51c1c018cb0013df2d03e7d719eaa9e7fe952b9252c22445b67acdd78696f7b464045aed14f6e795922680fe733a0084a6217

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000015

MD5 112aef1f1740c497873762c576ba91ec
SHA1 63de6bd3e38f536213dddddb20c5cb61c232078f
SHA256 7f6a44eb7632c2cb6f990ede10a58c2cc3fb923bae1761f1be8e2a9ea3847b78
SHA512 9b3f9e5b4f911e0fc8404e89a68e308b14b4d2470d8358f95991d04abbc5ee04e3d93255deba720d3589f278938cf92710cc4f38f6b26c778d82d4680da89fbb

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000016

MD5 5a52b3c4658c45fa0d16f1b245cba28d
SHA1 1066afce3c4ca00ca7f61c628f6ba4a615b50c4f
SHA256 f148af9bffe215b1396117bb04aeb9f35fc82f346999a767a363198e9878ceae
SHA512 08ed56e8ef57a87bc84cc82355fbb9b5742a3a3218c5bf27369d2fc7d71d5c740af8c8830a85af3544ae5f2e96f59c9a0267a512a5c009c3e03683a3ef5f85bd

memory/1048-1048-0x00000000000F0000-0x0000000000102000-memory.dmp

memory/1048-1054-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1060-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1064-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1093-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1092-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1091-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1090-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1089-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1088-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1087-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1086-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1085-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1084-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1083-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1082-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1081-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1079-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1078-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1077-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1076-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1075-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1074-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1073-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1071-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1070-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1069-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1068-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1067-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1066-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1065-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1063-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1062-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1061-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1080-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1072-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1059-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1058-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1057-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1056-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1055-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1053-0x0000000071BE0000-0x0000000071D92000-memory.dmp

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\Cache\index

MD5 a61db77e55430b847740ab5bb2cbc080
SHA1 95feedb04b2454343289919b6e8737be311f1d16
SHA256 943e7bf26f7a0b91ab14ab695c056b5d4de956ee75fec2ab805a04efe2b92da2
SHA512 1e19e58811490b59bff5c3a171b47863bec73b03f6033eeeb3ebc871f667fb6f8341ce667d4f3bc3091eec136af0e5a3e5e418606a8ecb3f8960e35466abb63d

memory/1048-1108-0x00000000732A0000-0x00000000732C7000-memory.dmp

memory/1048-1109-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1107-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1110-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2924-1117-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/1048-1185-0x00000000731E0000-0x0000000073213000-memory.dmp

memory/1048-1183-0x0000000071BE0000-0x0000000071D92000-memory.dmp

memory/1048-1184-0x00000000732A0000-0x00000000732C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

MD5 455171a0d8585480d318102d13ca1faf
SHA1 16263b90994f2882ae03d8d190dca0df1204c0a2
SHA256 626953268197dacf5491197a3c4c60b4f2a14c3e878efb640eb48f34c9b23e31
SHA512 8961af0da23f63f5f4fa258bc6532e7ba95ffcdfed71ab813fa0715696b70452f4ef127ed08391edf22dd1fe01e38ee1921551ecba9bb5a79ef18d44ca16d11d

C:\Users\Admin\AppData\Local\Temp\nsuA507.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

C:\games\Iplay Games\Country Tales\cpromo\games\brawe\logo.tex

MD5 81de96307f568c5e50da13b9751e65ae
SHA1 4e01b95dee60b1bcc74384f6ca8ab36538b087b3
SHA256 6d52c4e2664c8d1465ebe769535e747b0770d257cde8d0b23caee024554bc895
SHA512 7d1da1cd6f39970d4e5ca9127051e1072cfaeb78cf504dba2c1f5578e216d1fed9a513943e82b4ab344b4ed8bd84a829e6ed49d43601a6019af7ed6be9e4c95d

C:\games\Iplay Games\Country Tales\cpromo\games\brawe\thumbnail.tex

MD5 1dbce5bd17261f01d55f0e1ce678a5be
SHA1 7c957dd1cb44998773a7dfc9478b35c6ebca08d5
SHA256 b4e17d88af6c99f9728c50b486cc89fe85e45f80401a56ae226a91f4d6e1d6ee
SHA512 b141578334718b5cae23658a4f4129a99452239f1666707bed98f3325fc97adf2da7bbc4c1b91b1c7cf05cbd7efee9fc778dd4350f68be7a6e021c4bae87a7c0

C:\games\Iplay Games\Country Tales\cpromo\games\brawe\priority.cfg

MD5 39747ea0539ca7a983e27ad38a7feef9
SHA1 de1d226c21dcefbac496b1c1c2a04aec5a7f1c6c
SHA256 200abc16639b302d5ad0954412decbf85afb6373ce0bef661371860b36f443ca
SHA512 8bf6e2c9262e0bd9e445a6263bcf71837d7b8ce955a11f5ce808cacf9c27eb8e2eb5d27629db87f89132fc00117b91b32a80309a566b98909d505b61e7aca69c

C:\games\Iplay Games\Country Tales\cpromo\system\texts\fr\cpromo-facebook.loc

MD5 e4f35d2a9354e2988e31664dadfdc4ba
SHA1 68c41d8047951070a3077e0ad7205cd7d1f570b9
SHA256 1645a49aefec74dacb34d70834510ef429a53f22891214e12967d9febc6e4cf4
SHA512 f426e9670a46cab2a54b09cb328bda010732afd3d7b5febd047498cb5a8bd050b563787d403634784de62abaa7fc63c055aa4157749438d3cf06ce0f04f04309

memory/740-2510-0x00000000032B0000-0x0000000003EDB000-memory.dmp

memory/740-2511-0x00000000032B0000-0x0000000003EDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsjA564.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

memory/1864-2529-0x000000000E3F0000-0x000000000E5FC000-memory.dmp

memory/900-2528-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1864-2527-0x000000000E3F0000-0x000000000E5FC000-memory.dmp

memory/900-2544-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1864-2545-0x000000000E3F0000-0x000000000E5FC000-memory.dmp

memory/2212-2546-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2212-2564-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2996-2566-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1864-2565-0x0000000007350000-0x000000000755C000-memory.dmp

memory/2996-2584-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3012-2586-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1864-2585-0x000000000E3F0000-0x000000000E5FC000-memory.dmp

memory/3012-2604-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1864-2615-0x000000000E3F0000-0x000000000E5FC000-memory.dmp

memory/1864-2616-0x000000000E3F0000-0x000000000E5FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-20 21:41

Reported

2024-09-20 21:43

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\ C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\iWinArcade C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\iWinArcade\installRoot = "c:\\games\\Iplay Games" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\InstallDir = "c:\\games\\Iplay Games\\Country Tales" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{_kg[cD" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\JwLJt = "LS~g\x7fCSx}YNxqW~a|~}J" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\JwLJt = "LS~g\x7fCSx}YNxqW~a|~}J" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\qyib = "STt^[Uhq^VXIt@WvLYSJ\x7f" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\qyib = "l\x7fLuly{zOhf`\x7fS~zOD\x7fuu" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\GfcWozxmopaf = "dk@LQuGOpCjmvtdTaHJgg}ElA" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDk|zSTUaTs]XJP" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7fzOkg[cD" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\uscCeXownBtO = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MG" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\JwLJt = "uvZ]TziJxrIzozoKiTcw" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[|CxSpaOLQtMJDChQhebCV`" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\twQs = "L{oAIRKBhRTWkAz^N" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDk\\zSTUadu\\urP" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UxsshWH`NoOSSSY[M" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[|CxSpaOLQt]JDChQpnbuJ`" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\tqpli = "yIHBCaEiDnOpbUtmVyvmuVSO@XkZ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{\x7fkg[cD" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32 \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[|CxSpaOLQteJDChQhuZEeP" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\GfcWozxmopaf = "eg~G`xb_UA`pEeriAp~_iVBIC" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\VQKkvskBTM = "EPdV]mpKKvC_WMJwA[Fh\\qeZUTb[\x7f" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\VQKkvskBTM = "EPdV]mpKKvC_WMJwA[Fh\\qdzUTb[\x7f" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\5498689878578615106 = "Country Tales" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\Class = "Microsoft.Vbe.Interop.CodePanesClass" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[|CxSpaOLQtiJDChQtaFNap" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{okg[cD" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\GfcWozxmopaf = "eg~G`xb_UA`pEeriAp~_iVBIC" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\YahooArcade C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\uscCeXownBtO = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MG" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\twQs = "L{_AIRKBhRTWkAz^N" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkPzSTUaxa@~vp" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\lkovdqw \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameExe = "GameLauncher.exe" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UxcshWH`NoOSSSY[M" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D} \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\JwLJt = "uvZ]TziJxrIzozoKiTcw" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\VQKkvskBTM = "`ow}TscPUEgqYmODeGk@k\x7f{okg[cD" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\tqpli = "QaRhGQbxXgJYZP^zf}NgCRoAPVz[" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[|CxSpaOLQtaJDChQDw\x7fej@" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\uscCeXownBtO = "`vXzedEhQ\\p{ZsdWVuHihSYaGNl}MG" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\tqpli = "QaRhGQbxXgJYZP^zf}NgCRoAPVz[" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\qyib = "STt^[Uhq^VXIt@WvLYSJ\x7f" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameID = "5498689878578615106" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\InprocServer32\RuntimeVersion = "v2.0.50727" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\uscCeXownBtO = "`xfw@\x7fbPbKSMVu^iFeIiyXXuqTOkY[" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UxcshWH`NoOSSSY[M" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\YahooArcade C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkTzSTUaTce^y`" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Country Tales\GameName = "Country Tales" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\lkovdqw \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkhzSTUa`zxNY@" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\VQKkvskBTM = "EPdV]mpKKvC_WMJwA[Fh\\qeJUTb[\x7f" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\twQs = "UySshWH`NoOSSSY[M" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\femb = "g^Otx[|CxSpaOLQu}JDChQpt}stP" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\VirtualStore\MACHINE\SOFTWARE C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\femb = "Ey`bTuJpDpMHAvDkdzSTUa||HXi`" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\{8AD15D97-D746-13D1-B2E4-0060975B8649}\lkovdqw \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFBB64FD-A1B2-9BA9-EBE9-603C0C89364D}\tqpli = "yIHBCaEiDnOpbUtmVyvmuVSO@XkZ" \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: 33 N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\games\Iplay Games\Country Tales\GLWorker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4032 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe
PID 4032 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe
PID 4032 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe
PID 4032 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 4032 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 4032 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 3608 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3608 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3608 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3608 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3608 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3608 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3608 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 3608 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 3608 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 3376 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 3376 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 3376 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 3376 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
PID 3376 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
PID 3376 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
PID 2628 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe
PID 2628 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe
PID 2628 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe
PID 3608 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
PID 3608 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\Iplay Games\Country Tales\GLWorker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ee79991defde27b1bbc6713c57861d6c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe

C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\GamesManagerInstaller.exe

C:\Program Files (x86)\GMInstaller\ugm_installer.exe

"C:\Program Files (x86)\GMInstaller\ugm_installer.exe"

C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe

"C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.iwinrequest=PF/5498689878578615106/5498689883522729028/13/0 -config.channel=110341560

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --user-agent="NextDM/2.16.2.1015 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.16.2.1015 110341560 WinVer/6.2 [x64]" --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" --lang --channel=3608.02E62C80.1361212461 /prefetch:3

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x474 0x2c8

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=gpu-process --channel=3608.02EF4CD0.985214649 --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" /prefetch:12

C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe

"C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe" -gmregcopysrc="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregcopydest="HKEY_CURRENT_USER\Software\IplayArcade" -gmregcopylocalmachinedest="HKEY_LOCAL_MACHINE\Software\IplayArcade" -gmregisiwin=true -gmchannelcode=110341560 -game.sku="5498689878578615106" -game.name="Country Tales" -gmregcopyvirtual=HKU\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade -gmreg="Software\IplayArcade" -gmexe="IplayGames.exe" -gmregkey="Install_Dir" -installer="C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" -preinstallurl="http://gm-iplay.iwin.com/dl/preinstall-options.exe" -gamestring=5498689878578615106 -config.installRoot="c:\games\Iplay Games" -gmInstallRootRegKey="HKEY_CURRENT_USER\Software\iWinArcade\installRoot"

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

"C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=5498689878578615106 /S

C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe

"C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" /S

C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe

"C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\iWinInstallOptions.exe" /S

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

\??\c:\games\Iplay Games\Country Tales\GLWorker.exe

"c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 dl.iwin.com udp
GB 13.224.245.78:80 dl.iwin.com tcp
US 8.8.8.8:53 78.245.224.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 static.iwincdn.com udp
FR 68.232.35.54:80 static.iwincdn.com tcp
US 8.8.8.8:53 54.35.232.68.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 gm-iplay.iwin.com udp
US 52.203.24.150:80 gm-iplay.iwin.com tcp
US 52.203.24.150:80 gm-iplay.iwin.com tcp
US 52.203.24.150:80 gm-iplay.iwin.com tcp
US 8.8.8.8:53 150.24.203.52.in-addr.arpa udp
US 8.8.8.8:53 fea.iwincdn.com udp
FR 68.232.35.54:80 fea.iwincdn.com tcp
US 8.8.8.8:53 cimg.iwin.com udp
US 8.8.8.8:53 ws-iplay.iwin.com udp
GB 216.58.201.104:80 www.googletagmanager.com tcp
US 52.203.24.150:80 ws-iplay.iwin.com tcp
GB 143.204.68.129:80 cimg.iwin.com tcp
US 8.8.8.8:53 download.iwincdn.com udp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 129.68.204.143.in-addr.arpa udp
US 8.8.8.8:53 131.221.184.93.in-addr.arpa udp
GB 142.250.200.35:80 c.pki.goog tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.35:80 o.pki.goog tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 gm-iplay.iwin.com udp
US 44.195.99.77:80 gm-iplay.iwin.com tcp
US 8.8.8.8:53 77.99.195.44.in-addr.arpa udp
US 8.8.8.8:53 dl.iwin.com udp
GB 13.224.245.78:80 dl.iwin.com tcp
US 8.8.8.8:53 ws-iplay.iwin.com udp
US 52.203.24.150:80 ws-iplay.iwin.com tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\System.dll

MD5 c6f5b9596db45ce43f14b64e0fbcf552
SHA1 665a2207a643726602dc3e845e39435868dddabc
SHA256 4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
SHA512 8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

C:\Users\Admin\AppData\Local\Temp\nsw9793.tmp\NSISdl.dll

MD5 9c90c746adae5171c52b932080113331
SHA1 2eb66e61ad38a33aa6e6c245e84e0a78dfcc5460
SHA256 5b7be83ff4f023eba8d2d7ab972b067a904adc71f56a50cb367619cd116d0e92
SHA512 fca06b4b39fdd76002487a4f9a454bec5507b2355a0e4e2dfe044e2def52bbd01aa5d2a0077703f7b8814b248743fac2b84fd37f611e04281f7e5c428e245565

C:\Users\Admin\AppData\Local\Temp\nsrB210.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Local\Temp\nsrB210.tmp\StdUtils.dll

MD5 c291f96471927e7bc49398b0de7168dd
SHA1 eda478005d69ee86126a8378de5007b139e20a5d
SHA256 c169393e49723cfdcdcbcf80e062be9e841539f90e4b7b85b482212715a1f7c6
SHA512 b4244615e99617d437d3120f201ca88c7ab4a6b4b84e7f0c3b4495a0fe8c979e04feaa08f11ad14fa92f002a3a521422221132ff54a081ef1c6bcbdf09d5929d

C:\Users\Admin\AppData\Local\Temp\nstCFBB.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

MD5 11e4b4414b6271b8f8c45511f97d4e5a
SHA1 65ee25560144d22bf7f8bce3b8742a856a8ee6d1
SHA256 db67ca3cf89a6fccd13aa21207e279c3fd3c7bcaf181c65ecfc18cf2da289eb3
SHA512 68e8bce33cfc588f800f486f51c8a1e27b12e58af336946102d61a451341eee875b4cbb2a4203f3cade174b21f9e74cd82d15988abb107564c87c2e3bd088c58

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000001

MD5 e2ff9e87912d08576c7f26a8014b2525
SHA1 026136afd27657e7edead2f12310275af249caac
SHA256 5e663896f40416a2d5f159e0433dbc9019dbe9d05abb34c1f3a5b38a88b5c03a
SHA512 7b4dfe37205909f2f14669c965821a91daba8be383ce83d119fde5d290bc938eeaf0c70e9d27998f00dc6cdca0d0c0b1b2bbdc13ac2662fc4e766919e092e1d9

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000005

MD5 8c81fab58b8ed37b527b16a37a8065c3
SHA1 5d3d58f8833d9975d6dd5e7153b22a936f2f76bd
SHA256 74d4acb9d62968980f8a096977e3bf42c1ccffb0c7501a7fff1a0ba589b56bd7
SHA512 e99c9eae7718c4154bc2895431261e1ac3cafda565d85474876be004063742d84af1c20f970dd1f30c9c5acbb00d3e7357f7a13376730cbd987a24dcc4086699

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000004

MD5 7fd8ffea25728006bfddf7e6c7c122cd
SHA1 e3049e9f8a643b8b2cfd2ca5e6ab8bfd483efe99
SHA256 0a6c4c4db171663b9b1c533a4dd6938e22cb4d5b9607d0ca92a20c1354018b49
SHA512 477467568f8c24772fd83680db1e9750c7e377cb706c0fa734e9c8b1bc847cf9a60f4be444044bdbfa4cdb9cb4352f86edd1ea70bdcd86a20b361f9acb2cd58f

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000003

MD5 a959af924d21c7b788fe197caf03fc40
SHA1 21733827a5501133619b8ac4533201267d1afa3f
SHA256 4d191ea72953f5806161c3c16ae8e4bb629b47156481bd074acfa5db08000016
SHA512 1fa28a7fe716b328fc43b3e8993875977a2e9f39fd02dfce313d27021403ddfaf7f19c7607bf1350c4c2f05a38170d3621ed33cc60f8b38fb9d1dbda63b120e7

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000002

MD5 ae0a675e3e15e28aab8246028df16236
SHA1 772b2587aa2fa345fb760eff9ebe5acd97937243
SHA256 49f14bad610f40f0ae76a33c55ef89a1e694219bab49b1b99cb53d754774c0fc
SHA512 21723efa6aaa2fa599b42c1480c380c24f9aaf14755e82e88054e80713454408bfb047ba77d921d71573d2319f14f134938f3401aa3b92b756670b7c99892caa

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000007

MD5 962bf963a37a6d84fe7fb552763dc094
SHA1 cac681467dac917122dd9b57bd9a78781549a523
SHA256 2f49797d196f00bb331663ac1564c775d65ed1bfb508aec9e4c3b6fc89bb4dc0
SHA512 e378da6a0d29f91eb5a0de3876fda0cc1b5a6e6632f5ddf0d45fcc909084aad70bd99b97a29df15d271593701bd77a92766a1f091540dc3cdf699c9d831b6192

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000006

MD5 032f7a630c11189923cae95fb0fa6892
SHA1 74dddaa937b077fb98b584b20e1a3e3ad1bee422
SHA256 b0b84f6aca649b3b9131799ed0983e03b113497df4f33e30a3389ee1b34687ee
SHA512 e24c5a9dfd1f6fcd07dea0b3723a0794fe27042c2f52d0b869e8224ed0a442e73e24d265103ba2f11783b8c408f9724ba11ef76a1e3330ee3b78156ebad406bf

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000008

MD5 5cc4154e0c0dac8dfeea73c07ccdc83e
SHA1 5d2d995d51b8855d1e1e43b85d8b5a9d22b796ad
SHA256 12d5f1be9a764164f4cc6e7dda726c4ea3d19ea79382d28c75b0dea862608968
SHA512 1112959cfecc25efae799b566dff24f7bfafc60ddd8974ce0cdd653ee834a57090d9f78e2773ad9a826e0ba6e1487c49e1ef957c34385c262914f09ea8b26157

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000009

MD5 b41c0b75a60eab42145e9d0b17408b0b
SHA1 0f3151c6c22834079b55fcea9d873c0184b3fd7c
SHA256 209dc679252feca2725cafb6e8fc314f2618bd748db846be6b4e0ca71c55a330
SHA512 f728be6cb869a6279a6ba1d85865c510c6f9905a04226a25965b7b5eb0feadbaf4364f4508b08292eb597b2a9fe14af4e6fa8a9eb56f4e704108dc09e862edbe

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000a

MD5 4e5d5ff08a7703b746695ec19bf96b88
SHA1 3496f9b943d53c957ed8481e3e2cd1ecc0decb4e
SHA256 3e05db9eae5443e2b629ae73496a7872602094fcf63d11eb5d99e63911c89d1e
SHA512 cabe3907ea165502d90b847642cbc4be99108b6eb18ad251f2acfe988131b2ed12fab8516e374c5e2a19b10c9df9c9ed3252cbffb7cd0c0fb9dcd258e2f4bb31

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000b

MD5 0128fb0696c3dd27adc2286988bf9042
SHA1 343db277048078eb9a12b76b8f482aae5d9e7ac2
SHA256 13bf19f7b084c49a6ef22dee10328411f4764e765209956bc1d01c8120cdacdb
SHA512 173b2bd5cdf252380286622fcb9ebd72c361788fcd00a04274dc330f7d20cc152cc29506bd5d03768518bab23053ec98c0ae522fe600987a479a15279d72acbd

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000c

MD5 201f988a9071a4a4a3d188bdecda38f5
SHA1 4ad903f73ee31f12b1c9e4c820439273cbc92727
SHA256 53c53364808c175a6038f9d0aae8fe3d1f5ce3cf87d5e9fa08f603d845633b37
SHA512 d9af07915a589ee48b08a1b8880d88d6215438292f4a227cbc809086c2dbd5735713c0929758359a8f3391dae746cd9b9de7885d5af560698a21be7d9f5bc025

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000d

MD5 516a9c398435f4e0e519d13091892fca
SHA1 c1a8a3747fed87cf8699c18b6f80f5369e207908
SHA256 de5c4e5ba7b850bbe5d35de5b20f4fd875be1f77ef73f7431172d1e0f6496dc6
SHA512 b79eab3e4abc5bd164d27f282a9913ad0c82bdbcb028be5137b77a429e6384e715d05a90014c23298152d2fe3ad2f90309ca028727ed9750cf29fd55b6d75302

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000e

MD5 4d0d60167bc23a412bcd8880d59e13d8
SHA1 cfbf2a6ed97ed0a30c571d2bbd6eb60731eaea27
SHA256 cd299b9251186ebf3bb0e928e4f710b3b542f0cde01bea6832cbada49138a85d
SHA512 6d56d41161bbe491a8f847ae3782e283a61d40d499d91fa6ef82ea845b347b8337b84e69024828dcbbf884b167afca67bdd67c7593a1a90950bab6fbdbb8eeba

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000f

MD5 b6438c9bc90d3e87381b574cdf17ae97
SHA1 86051ff3f018c1a475162597dab27079eef2ec7a
SHA256 a6db907a7ac399d7e920de4ac4b4a92808542039ba32dc6758637bffb413d56d
SHA512 c4d56c8880d5c27085cf64531d2620f84c950107fdda28986eb0bb4d2ce1b4a90f0d890b72f60b48ef2637b3dab7fd99ccf1f507c949ce5f66b52f756c3c6fe6

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000010

MD5 af693f9aea7dae36fb3bef4c9b6e56fb
SHA1 0d7896e2bb23f88e26e52b22a075350b354df447
SHA256 1717ea1fde8ceb7584341a24efc85c853083c660a1185968fbf94520f7193de2
SHA512 11cad7c40e29808104a9b84cfe2f4f1aa80f4ad06a07fd1379c64818fe869c6b6036af36f4dd3304e19b612141e9cf7b04e11c7a38a721ad03c067d9c07b266a

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000011

MD5 3c4b51f57a2ff4369261b845d84ca1ea
SHA1 3bb9a2f72d5fa0a9c4140ab74212d4cdd25fa323
SHA256 379bc709031d0e429a41012efd921210bcfd409ecaabe35257a3716032eb99a3
SHA512 81d0120f63e30cc5b31fc98af2caf75cd836defedf08a1918b019a4bd7fdc9746340ef81f7ead84299d6eceb3812a6edc79481344dd7ef19d7af572b1f2bac3d

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000016

MD5 5a52b3c4658c45fa0d16f1b245cba28d
SHA1 1066afce3c4ca00ca7f61c628f6ba4a615b50c4f
SHA256 f148af9bffe215b1396117bb04aeb9f35fc82f346999a767a363198e9878ceae
SHA512 08ed56e8ef57a87bc84cc82355fbb9b5742a3a3218c5bf27369d2fc7d71d5c740af8c8830a85af3544ae5f2e96f59c9a0267a512a5c009c3e03683a3ef5f85bd

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000015

MD5 112aef1f1740c497873762c576ba91ec
SHA1 63de6bd3e38f536213dddddb20c5cb61c232078f
SHA256 7f6a44eb7632c2cb6f990ede10a58c2cc3fb923bae1761f1be8e2a9ea3847b78
SHA512 9b3f9e5b4f911e0fc8404e89a68e308b14b4d2470d8358f95991d04abbc5ee04e3d93255deba720d3589f278938cf92710cc4f38f6b26c778d82d4680da89fbb

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000014

MD5 7776d481997157e93d96f8589c3ae050
SHA1 13007e647ea91299b5aaaf7fc03a30bb65c38cd0
SHA256 74cd4d1f792e1200fd426048b53970c4eaeb5e5c1c789d034bffdff68167b3be
SHA512 12401e53282bcb20f6287f73b0d51c1c018cb0013df2d03e7d719eaa9e7fe952b9252c22445b67acdd78696f7b464045aed14f6e795922680fe733a0084a6217

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000013

MD5 107a4b9f1d95df5b969cced5c7248ded
SHA1 9341318acb76e81987277b335656f6d265066691
SHA256 295eac26825508b5f37f27c69b99d426582fe80752f636c69f1795be8f5d5ea4
SHA512 36c22b62a0377831b37ecc4f34b6912842bc57c2f9351548d1ba120ca2c9abaca709cd40046abc06d4b77694cbf1977b8f5d7ce899653f130ac697402e127857

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000012

MD5 5ce0a99458a2c7f2c0a6f3eb1a03d1d5
SHA1 6b3fdc4185f603a0948d2e8b7bc818763d7e2668
SHA256 6c5c0a29044c5aeec37211b18908acd0576b9dabc9d6fe95c8066cdc55146c0f
SHA512 5939d60a40f729b7ea19d6c9c1d264d7a174c6436748ea8c9619e7a20c1f1d4889f7e9b4cd017a889c985e9d2fd272e01d3e03d6b97325b2e8de5f3f9e1f2d67

memory/4452-1047-0x0000000000850000-0x0000000000862000-memory.dmp

memory/4452-1052-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1085-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1092-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1091-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1090-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1089-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1088-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1087-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1086-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1084-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1083-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1082-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1081-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1080-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1079-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1078-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1076-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1075-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1074-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1073-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1072-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1070-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1069-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1068-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1067-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1066-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1064-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1063-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1062-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1061-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1060-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1059-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1058-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1056-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1055-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1054-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1077-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1071-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1065-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1057-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1053-0x0000000071B00000-0x0000000071CB2000-memory.dmp

C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\Cache\index

MD5 8800ca4ae711869652e8e191a949d5cf
SHA1 e911075e12d830dd02acfb2f0b2f08311fae618f
SHA256 777aa3731f9ff596fadb43ad560f7248509341681741332531a5450b7694dc78
SHA512 daa26ecf10d3d0f26852a198116e56485232e6098c778f9e02ef43a222027d0e3366a8a44f2a5cb26175efc7f54f1839a1cff5607dad756d8e6ddf343e1dca11

memory/4452-1107-0x0000000071AD0000-0x0000000071AF7000-memory.dmp

memory/4452-1108-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1106-0x0000000071B00000-0x0000000071CB2000-memory.dmp

memory/4452-1109-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4452-1175-0x0000000071A90000-0x0000000071AC3000-memory.dmp

memory/4452-1174-0x0000000071AD0000-0x0000000071AF7000-memory.dmp

memory/4452-1173-0x0000000071B00000-0x0000000071CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

MD5 455171a0d8585480d318102d13ca1faf
SHA1 16263b90994f2882ae03d8d190dca0df1204c0a2
SHA256 626953268197dacf5491197a3c4c60b4f2a14c3e878efb640eb48f34c9b23e31
SHA512 8961af0da23f63f5f4fa258bc6532e7ba95ffcdfed71ab813fa0715696b70452f4ef127ed08391edf22dd1fe01e38ee1921551ecba9bb5a79ef18d44ca16d11d

C:\Users\Admin\AppData\Local\Temp\nsi581F.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

C:\games\Iplay Games\Country Tales\cpromo\games\brawe\logo.tex

MD5 81de96307f568c5e50da13b9751e65ae
SHA1 4e01b95dee60b1bcc74384f6ca8ab36538b087b3
SHA256 6d52c4e2664c8d1465ebe769535e747b0770d257cde8d0b23caee024554bc895
SHA512 7d1da1cd6f39970d4e5ca9127051e1072cfaeb78cf504dba2c1f5578e216d1fed9a513943e82b4ab344b4ed8bd84a829e6ed49d43601a6019af7ed6be9e4c95d

C:\games\Iplay Games\Country Tales\cpromo\games\brawe\priority.cfg

MD5 39747ea0539ca7a983e27ad38a7feef9
SHA1 de1d226c21dcefbac496b1c1c2a04aec5a7f1c6c
SHA256 200abc16639b302d5ad0954412decbf85afb6373ce0bef661371860b36f443ca
SHA512 8bf6e2c9262e0bd9e445a6263bcf71837d7b8ce955a11f5ce808cacf9c27eb8e2eb5d27629db87f89132fc00117b91b32a80309a566b98909d505b61e7aca69c

C:\games\Iplay Games\Country Tales\cpromo\games\brawe\thumbnail.tex

MD5 1dbce5bd17261f01d55f0e1ce678a5be
SHA1 7c957dd1cb44998773a7dfc9478b35c6ebca08d5
SHA256 b4e17d88af6c99f9728c50b486cc89fe85e45f80401a56ae226a91f4d6e1d6ee
SHA512 b141578334718b5cae23658a4f4129a99452239f1666707bed98f3325fc97adf2da7bbc4c1b91b1c7cf05cbd7efee9fc778dd4350f68be7a6e021c4bae87a7c0

C:\games\Iplay Games\Country Tales\cpromo\system\texts\fr\cpromo-facebook.loc

MD5 e4f35d2a9354e2988e31664dadfdc4ba
SHA1 68c41d8047951070a3077e0ad7205cd7d1f570b9
SHA256 1645a49aefec74dacb34d70834510ef429a53f22891214e12967d9febc6e4cf4
SHA512 f426e9670a46cab2a54b09cb328bda010732afd3d7b5febd047498cb5a8bd050b563787d403634784de62abaa7fc63c055aa4157749438d3cf06ce0f04f04309

C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

C:\Users\Admin\AppData\Local\Temp\nsp5C84.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/3964-2534-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3964-2550-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1380-2569-0x0000000000400000-0x000000000060C000-memory.dmp

memory/4788-2588-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2776-2607-0x0000000000400000-0x000000000060C000-memory.dmp