Analysis

  • max time kernel
    141s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 07:20

General

  • Target

    f18a504706dd72c30646a8bec4d58a8d_JaffaCakes118.exe

  • Size

    98KB

  • MD5

    f18a504706dd72c30646a8bec4d58a8d

  • SHA1

    15bc1b9a13703eb7a29a0b981c77389bf0f2dc69

  • SHA256

    9943963957cf6c44dada20d26ffb546aa80d1fb0dc2d30eb134f8f41565b7360

  • SHA512

    efd774c5f762fbdb2a1061a9b0c16c996172b025dbfba8ead0dff9ce35b46bf5d8dce1b9b08d4ba403b38038803a31e6c39638f8eb3e356fff71c96e7debc072

  • SSDEEP

    1536:cTXB+5p3Bi+HpM4tmJIxqG0/7vd8xUxPpZzmbOcVf2nxqG0/7vdJi:cTs3BxJNmJIxqdLdT/ZzmKZxqdLdo

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f18a504706dd72c30646a8bec4d58a8d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f18a504706dd72c30646a8bec4d58a8d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\nstF8A2.tmp\GamesManagerInstaller.exe
      C:\Users\Admin\AppData\Local\Temp\nstF8A2.tmp\GamesManagerInstaller.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2820
    • C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.iwinrequest=PF/5498689878578615106/5498689883522729028/13/0 -config.channel=110341560
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
        "C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --user-agent="NextDM/2.16.2.1015 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.16.2.1015 110341560 WinVer/6.1 [x64]" --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" --lang --channel=3776.02590C80.349747964 /prefetch:3
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        PID:2832
      • C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
        "C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=gpu-process --channel=3776.0261E7D0.532980128 --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" /prefetch:12
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        PID:2516
      • C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
        "C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe" -gmregcopysrc="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregcopydest="HKEY_CURRENT_USER\Software\IplayArcade" -gmregcopylocalmachinedest="HKEY_LOCAL_MACHINE\Software\IplayArcade" -gmregisiwin=true -gmchannelcode=110341560 -game.sku="5498689878578615106" -game.name="Country Tales" -gmregcopyvirtual=HKU\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade -gmreg="Software\IplayArcade" -gmexe="IplayGames.exe" -gmregkey="Install_Dir" -installer="C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" -preinstallurl="http://gm-iplay.iwin.com/dl/preinstall-options.exe" -gamestring=5498689878578615106 -config.installRoot="c:\games\Iplay Games" -gmInstallRootRegKey="HKEY_CURRENT_USER\Software\iWinArcade\installRoot"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
          "C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=5498689878578615106 /S
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3020
        • C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe
          "C:\Users\Admin\AppData\Local\GamesManager\110341560\downloads\5498689878578615106.exe" /S
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Users\Admin\AppData\Local\Temp\nseE89B.tmp\iWinInstallOptions.exe
            "C:\Users\Admin\AppData\Local\Temp\nseE89B.tmp\iWinInstallOptions.exe" /S
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2888
      • \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
        "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1628
      • \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
        "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
        "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • \??\c:\games\Iplay Games\Country Tales\GLWorker.exe
        "c:\games\Iplay Games\Country Tales\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5498689878578615106
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2060
  • C:\Program Files (x86)\GMInstaller\ugm_installer.exe
    "C:\Program Files (x86)\GMInstaller\ugm_installer.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000001

    Filesize

    248KB

    MD5

    e2ff9e87912d08576c7f26a8014b2525

    SHA1

    026136afd27657e7edead2f12310275af249caac

    SHA256

    5e663896f40416a2d5f159e0433dbc9019dbe9d05abb34c1f3a5b38a88b5c03a

    SHA512

    7b4dfe37205909f2f14669c965821a91daba8be383ce83d119fde5d290bc938eeaf0c70e9d27998f00dc6cdca0d0c0b1b2bbdc13ac2662fc4e766919e092e1d9

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000002

    Filesize

    36KB

    MD5

    ae0a675e3e15e28aab8246028df16236

    SHA1

    772b2587aa2fa345fb760eff9ebe5acd97937243

    SHA256

    49f14bad610f40f0ae76a33c55ef89a1e694219bab49b1b99cb53d754774c0fc

    SHA512

    21723efa6aaa2fa599b42c1480c380c24f9aaf14755e82e88054e80713454408bfb047ba77d921d71573d2319f14f134938f3401aa3b92b756670b7c99892caa

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000003

    Filesize

    51KB

    MD5

    a959af924d21c7b788fe197caf03fc40

    SHA1

    21733827a5501133619b8ac4533201267d1afa3f

    SHA256

    4d191ea72953f5806161c3c16ae8e4bb629b47156481bd074acfa5db08000016

    SHA512

    1fa28a7fe716b328fc43b3e8993875977a2e9f39fd02dfce313d27021403ddfaf7f19c7607bf1350c4c2f05a38170d3621ed33cc60f8b38fb9d1dbda63b120e7

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000004

    Filesize

    242KB

    MD5

    7fd8ffea25728006bfddf7e6c7c122cd

    SHA1

    e3049e9f8a643b8b2cfd2ca5e6ab8bfd483efe99

    SHA256

    0a6c4c4db171663b9b1c533a4dd6938e22cb4d5b9607d0ca92a20c1354018b49

    SHA512

    477467568f8c24772fd83680db1e9750c7e377cb706c0fa734e9c8b1bc847cf9a60f4be444044bdbfa4cdb9cb4352f86edd1ea70bdcd86a20b361f9acb2cd58f

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000005

    Filesize

    58KB

    MD5

    8c81fab58b8ed37b527b16a37a8065c3

    SHA1

    5d3d58f8833d9975d6dd5e7153b22a936f2f76bd

    SHA256

    74d4acb9d62968980f8a096977e3bf42c1ccffb0c7501a7fff1a0ba589b56bd7

    SHA512

    e99c9eae7718c4154bc2895431261e1ac3cafda565d85474876be004063742d84af1c20f970dd1f30c9c5acbb00d3e7357f7a13376730cbd987a24dcc4086699

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000006

    Filesize

    16KB

    MD5

    032f7a630c11189923cae95fb0fa6892

    SHA1

    74dddaa937b077fb98b584b20e1a3e3ad1bee422

    SHA256

    b0b84f6aca649b3b9131799ed0983e03b113497df4f33e30a3389ee1b34687ee

    SHA512

    e24c5a9dfd1f6fcd07dea0b3723a0794fe27042c2f52d0b869e8224ed0a442e73e24d265103ba2f11783b8c408f9724ba11ef76a1e3330ee3b78156ebad406bf

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000007

    Filesize

    63KB

    MD5

    962bf963a37a6d84fe7fb552763dc094

    SHA1

    cac681467dac917122dd9b57bd9a78781549a523

    SHA256

    2f49797d196f00bb331663ac1564c775d65ed1bfb508aec9e4c3b6fc89bb4dc0

    SHA512

    e378da6a0d29f91eb5a0de3876fda0cc1b5a6e6632f5ddf0d45fcc909084aad70bd99b97a29df15d271593701bd77a92766a1f091540dc3cdf699c9d831b6192

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000008

    Filesize

    21KB

    MD5

    5cc4154e0c0dac8dfeea73c07ccdc83e

    SHA1

    5d2d995d51b8855d1e1e43b85d8b5a9d22b796ad

    SHA256

    12d5f1be9a764164f4cc6e7dda726c4ea3d19ea79382d28c75b0dea862608968

    SHA512

    1112959cfecc25efae799b566dff24f7bfafc60ddd8974ce0cdd653ee834a57090d9f78e2773ad9a826e0ba6e1487c49e1ef957c34385c262914f09ea8b26157

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000009

    Filesize

    48KB

    MD5

    b41c0b75a60eab42145e9d0b17408b0b

    SHA1

    0f3151c6c22834079b55fcea9d873c0184b3fd7c

    SHA256

    209dc679252feca2725cafb6e8fc314f2618bd748db846be6b4e0ca71c55a330

    SHA512

    f728be6cb869a6279a6ba1d85865c510c6f9905a04226a25965b7b5eb0feadbaf4364f4508b08292eb597b2a9fe14af4e6fa8a9eb56f4e704108dc09e862edbe

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000a

    Filesize

    39KB

    MD5

    4e5d5ff08a7703b746695ec19bf96b88

    SHA1

    3496f9b943d53c957ed8481e3e2cd1ecc0decb4e

    SHA256

    3e05db9eae5443e2b629ae73496a7872602094fcf63d11eb5d99e63911c89d1e

    SHA512

    cabe3907ea165502d90b847642cbc4be99108b6eb18ad251f2acfe988131b2ed12fab8516e374c5e2a19b10c9df9c9ed3252cbffb7cd0c0fb9dcd258e2f4bb31

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000b

    Filesize

    151KB

    MD5

    0128fb0696c3dd27adc2286988bf9042

    SHA1

    343db277048078eb9a12b76b8f482aae5d9e7ac2

    SHA256

    13bf19f7b084c49a6ef22dee10328411f4764e765209956bc1d01c8120cdacdb

    SHA512

    173b2bd5cdf252380286622fcb9ebd72c361788fcd00a04274dc330f7d20cc152cc29506bd5d03768518bab23053ec98c0ae522fe600987a479a15279d72acbd

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000c

    Filesize

    66KB

    MD5

    201f988a9071a4a4a3d188bdecda38f5

    SHA1

    4ad903f73ee31f12b1c9e4c820439273cbc92727

    SHA256

    53c53364808c175a6038f9d0aae8fe3d1f5ce3cf87d5e9fa08f603d845633b37

    SHA512

    d9af07915a589ee48b08a1b8880d88d6215438292f4a227cbc809086c2dbd5735713c0929758359a8f3391dae746cd9b9de7885d5af560698a21be7d9f5bc025

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000d

    Filesize

    77KB

    MD5

    516a9c398435f4e0e519d13091892fca

    SHA1

    c1a8a3747fed87cf8699c18b6f80f5369e207908

    SHA256

    de5c4e5ba7b850bbe5d35de5b20f4fd875be1f77ef73f7431172d1e0f6496dc6

    SHA512

    b79eab3e4abc5bd164d27f282a9913ad0c82bdbcb028be5137b77a429e6384e715d05a90014c23298152d2fe3ad2f90309ca028727ed9750cf29fd55b6d75302

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000e

    Filesize

    39KB

    MD5

    4d0d60167bc23a412bcd8880d59e13d8

    SHA1

    cfbf2a6ed97ed0a30c571d2bbd6eb60731eaea27

    SHA256

    cd299b9251186ebf3bb0e928e4f710b3b542f0cde01bea6832cbada49138a85d

    SHA512

    6d56d41161bbe491a8f847ae3782e283a61d40d499d91fa6ef82ea845b347b8337b84e69024828dcbbf884b167afca67bdd67c7593a1a90950bab6fbdbb8eeba

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_00000f

    Filesize

    46KB

    MD5

    b6438c9bc90d3e87381b574cdf17ae97

    SHA1

    86051ff3f018c1a475162597dab27079eef2ec7a

    SHA256

    a6db907a7ac399d7e920de4ac4b4a92808542039ba32dc6758637bffb413d56d

    SHA512

    c4d56c8880d5c27085cf64531d2620f84c950107fdda28986eb0bb4d2ce1b4a90f0d890b72f60b48ef2637b3dab7fd99ccf1f507c949ce5f66b52f756c3c6fe6

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000010

    Filesize

    246KB

    MD5

    af693f9aea7dae36fb3bef4c9b6e56fb

    SHA1

    0d7896e2bb23f88e26e52b22a075350b354df447

    SHA256

    1717ea1fde8ceb7584341a24efc85c853083c660a1185968fbf94520f7193de2

    SHA512

    11cad7c40e29808104a9b84cfe2f4f1aa80f4ad06a07fd1379c64818fe869c6b6036af36f4dd3304e19b612141e9cf7b04e11c7a38a721ad03c067d9c07b266a

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000011

    Filesize

    25KB

    MD5

    3c4b51f57a2ff4369261b845d84ca1ea

    SHA1

    3bb9a2f72d5fa0a9c4140ab74212d4cdd25fa323

    SHA256

    379bc709031d0e429a41012efd921210bcfd409ecaabe35257a3716032eb99a3

    SHA512

    81d0120f63e30cc5b31fc98af2caf75cd836defedf08a1918b019a4bd7fdc9746340ef81f7ead84299d6eceb3812a6edc79481344dd7ef19d7af572b1f2bac3d

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000012

    Filesize

    82KB

    MD5

    5ce0a99458a2c7f2c0a6f3eb1a03d1d5

    SHA1

    6b3fdc4185f603a0948d2e8b7bc818763d7e2668

    SHA256

    6c5c0a29044c5aeec37211b18908acd0576b9dabc9d6fe95c8066cdc55146c0f

    SHA512

    5939d60a40f729b7ea19d6c9c1d264d7a174c6436748ea8c9619e7a20c1f1d4889f7e9b4cd017a889c985e9d2fd272e01d3e03d6b97325b2e8de5f3f9e1f2d67

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000013

    Filesize

    581KB

    MD5

    107a4b9f1d95df5b969cced5c7248ded

    SHA1

    9341318acb76e81987277b335656f6d265066691

    SHA256

    295eac26825508b5f37f27c69b99d426582fe80752f636c69f1795be8f5d5ea4

    SHA512

    36c22b62a0377831b37ecc4f34b6912842bc57c2f9351548d1ba120ca2c9abaca709cd40046abc06d4b77694cbf1977b8f5d7ce899653f130ac697402e127857

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000014

    Filesize

    160KB

    MD5

    7776d481997157e93d96f8589c3ae050

    SHA1

    13007e647ea91299b5aaaf7fc03a30bb65c38cd0

    SHA256

    74cd4d1f792e1200fd426048b53970c4eaeb5e5c1c789d034bffdff68167b3be

    SHA512

    12401e53282bcb20f6287f73b0d51c1c018cb0013df2d03e7d719eaa9e7fe952b9252c22445b67acdd78696f7b464045aed14f6e795922680fe733a0084a6217

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000015

    Filesize

    238KB

    MD5

    112aef1f1740c497873762c576ba91ec

    SHA1

    63de6bd3e38f536213dddddb20c5cb61c232078f

    SHA256

    7f6a44eb7632c2cb6f990ede10a58c2cc3fb923bae1761f1be8e2a9ea3847b78

    SHA512

    9b3f9e5b4f911e0fc8404e89a68e308b14b4d2470d8358f95991d04abbc5ee04e3d93255deba720d3589f278938cf92710cc4f38f6b26c778d82d4680da89fbb

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\AppCache\Cache\f_000016

    Filesize

    620KB

    MD5

    5a52b3c4658c45fa0d16f1b245cba28d

    SHA1

    1066afce3c4ca00ca7f61c628f6ba4a615b50c4f

    SHA256

    f148af9bffe215b1396117bb04aeb9f35fc82f346999a767a363198e9878ceae

    SHA512

    08ed56e8ef57a87bc84cc82355fbb9b5742a3a3218c5bf27369d2fc7d71d5c740af8c8830a85af3544ae5f2e96f59c9a0267a512a5c009c3e03683a3ef5f85bd

  • C:\Users\Admin\AppData\Local\GamesManager\110341560\webdata\Cache\index

    Filesize

    512KB

    MD5

    9bf575bcc94beb8f3da34101cdecf7ea

    SHA1

    57282ec670d6036033371d1e360b52a8bea2c7dc

    SHA256

    44b2f3ac069879c64561f4ae8cd526a8771dc4dc89083206ba92d52d8527ca37

    SHA512

    9036391a45aba9dd3c3e4ba02eda193b26923e7406c9916ea1a72c307c7f515bde45d4bddc8e3c37a6978c1753e0c0481da0a4e0806106a626b98927dad37296

  • C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

    Filesize

    379KB

    MD5

    11e4b4414b6271b8f8c45511f97d4e5a

    SHA1

    65ee25560144d22bf7f8bce3b8742a856a8ee6d1

    SHA256

    db67ca3cf89a6fccd13aa21207e279c3fd3c7bcaf181c65ecfc18cf2da289eb3

    SHA512

    68e8bce33cfc588f800f486f51c8a1e27b12e58af336946102d61a451341eee875b4cbb2a4203f3cade174b21f9e74cd82d15988abb107564c87c2e3bd088c58

  • C:\Users\Admin\AppData\Local\Temp\nseE84D.tmp\System.dll

    Filesize

    10KB

    MD5

    56a321bd011112ec5d8a32b2f6fd3231

    SHA1

    df20e3a35a1636de64df5290ae5e4e7572447f78

    SHA256

    bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

    SHA512

    5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

  • C:\Users\Admin\AppData\Local\Temp\nseE89B.tmp\NSISdl.dll

    Filesize

    14KB

    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

  • C:\Users\Admin\AppData\Local\Temp\nseE89B.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

    Filesize

    77KB

    MD5

    455171a0d8585480d318102d13ca1faf

    SHA1

    16263b90994f2882ae03d8d190dca0df1204c0a2

    SHA256

    626953268197dacf5491197a3c4c60b4f2a14c3e878efb640eb48f34c9b23e31

    SHA512

    8961af0da23f63f5f4fa258bc6532e7ba95ffcdfed71ab813fa0715696b70452f4ef127ed08391edf22dd1fe01e38ee1921551ecba9bb5a79ef18d44ca16d11d

  • C:\games\Iplay Games\Country Tales\cpromo\games\brawe\logo.tex

    Filesize

    166B

    MD5

    81de96307f568c5e50da13b9751e65ae

    SHA1

    4e01b95dee60b1bcc74384f6ca8ab36538b087b3

    SHA256

    6d52c4e2664c8d1465ebe769535e747b0770d257cde8d0b23caee024554bc895

    SHA512

    7d1da1cd6f39970d4e5ca9127051e1072cfaeb78cf504dba2c1f5578e216d1fed9a513943e82b4ab344b4ed8bd84a829e6ed49d43601a6019af7ed6be9e4c95d

  • C:\games\Iplay Games\Country Tales\cpromo\games\brawe\priority.cfg

    Filesize

    125B

    MD5

    39747ea0539ca7a983e27ad38a7feef9

    SHA1

    de1d226c21dcefbac496b1c1c2a04aec5a7f1c6c

    SHA256

    200abc16639b302d5ad0954412decbf85afb6373ce0bef661371860b36f443ca

    SHA512

    8bf6e2c9262e0bd9e445a6263bcf71837d7b8ce955a11f5ce808cacf9c27eb8e2eb5d27629db87f89132fc00117b91b32a80309a566b98909d505b61e7aca69c

  • C:\games\Iplay Games\Country Tales\cpromo\games\brawe\thumbnail.tex

    Filesize

    169B

    MD5

    1dbce5bd17261f01d55f0e1ce678a5be

    SHA1

    7c957dd1cb44998773a7dfc9478b35c6ebca08d5

    SHA256

    b4e17d88af6c99f9728c50b486cc89fe85e45f80401a56ae226a91f4d6e1d6ee

    SHA512

    b141578334718b5cae23658a4f4129a99452239f1666707bed98f3325fc97adf2da7bbc4c1b91b1c7cf05cbd7efee9fc778dd4350f68be7a6e021c4bae87a7c0

  • C:\games\Iplay Games\Country Tales\cpromo\system\texts\fr\cpromo-facebook.loc

    Filesize

    305B

    MD5

    e4f35d2a9354e2988e31664dadfdc4ba

    SHA1

    68c41d8047951070a3077e0ad7205cd7d1f570b9

    SHA256

    1645a49aefec74dacb34d70834510ef429a53f22891214e12967d9febc6e4cf4

    SHA512

    f426e9670a46cab2a54b09cb328bda010732afd3d7b5febd047498cb5a8bd050b563787d403634784de62abaa7fc63c055aa4157749438d3cf06ce0f04f04309

  • \Users\Admin\AppData\Local\Temp\nsj2618.tmp\StdUtils.dll

    Filesize

    26KB

    MD5

    c291f96471927e7bc49398b0de7168dd

    SHA1

    eda478005d69ee86126a8378de5007b139e20a5d

    SHA256

    c169393e49723cfdcdcbcf80e062be9e841539f90e4b7b85b482212715a1f7c6

    SHA512

    b4244615e99617d437d3120f201ca88c7ab4a6b4b84e7f0c3b4495a0fe8c979e04feaa08f11ad14fa92f002a3a521422221132ff54a081ef1c6bcbdf09d5929d

  • \Users\Admin\AppData\Local\Temp\nsj2618.tmp\nsProcess.dll

    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

  • \Users\Admin\AppData\Local\Temp\nsj3C57.tmp\System.dll

    Filesize

    11KB

    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

  • \Users\Admin\AppData\Local\Temp\nstF8A2.tmp\NSISdl.dll

    Filesize

    14KB

    MD5

    9c90c746adae5171c52b932080113331

    SHA1

    2eb66e61ad38a33aa6e6c245e84e0a78dfcc5460

    SHA256

    5b7be83ff4f023eba8d2d7ab972b067a904adc71f56a50cb367619cd116d0e92

    SHA512

    fca06b4b39fdd76002487a4f9a454bec5507b2355a0e4e2dfe044e2def52bbd01aa5d2a0077703f7b8814b248743fac2b84fd37f611e04281f7e5c428e245565

  • \Users\Admin\AppData\Local\Temp\nstF8A2.tmp\System.dll

    Filesize

    11KB

    MD5

    c6f5b9596db45ce43f14b64e0fbcf552

    SHA1

    665a2207a643726602dc3e845e39435868dddabc

    SHA256

    4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0

    SHA512

    8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

  • memory/1628-2585-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/1692-2628-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/1692-2610-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-2648-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-2630-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2108-2552-0x0000000002B20000-0x000000000374B000-memory.dmp

    Filesize

    12.2MB

  • memory/2108-2553-0x0000000002B20000-0x000000000374B000-memory.dmp

    Filesize

    12.2MB

  • memory/2256-2587-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2256-2605-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2516-1113-0x0000000000110000-0x0000000000122000-memory.dmp

    Filesize

    72KB

  • memory/2820-31-0x0000000002B10000-0x0000000002B12000-memory.dmp

    Filesize

    8KB

  • memory/2832-1069-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1188-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1072-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1070-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1075-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1068-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1067-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1066-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1065-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1063-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1062-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1061-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1060-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1059-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1058-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1057-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1055-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1081-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1073-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1071-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1053-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1064-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1056-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1076-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1106-0x0000000000420000-0x0000000000421000-memory.dmp

    Filesize

    4KB

  • memory/2832-1077-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1124-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1126-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1125-0x0000000072890000-0x00000000728B7000-memory.dmp

    Filesize

    156KB

  • memory/2832-1074-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1186-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1187-0x0000000072890000-0x00000000728B7000-memory.dmp

    Filesize

    156KB

  • memory/2832-1078-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1079-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1082-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1083-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1084-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1085-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1086-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1087-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1088-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1089-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1052-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1054-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1090-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1091-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/2832-1080-0x0000000072640000-0x00000000727F2000-memory.dmp

    Filesize

    1.7MB

  • memory/2832-1092-0x0000000072600000-0x0000000072633000-memory.dmp

    Filesize

    204KB

  • memory/3776-2586-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-2609-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-2569-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-2570-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-2629-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-923-0x0000000000170000-0x0000000000182000-memory.dmp

    Filesize

    72KB

  • memory/3776-2659-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-2660-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-2661-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB

  • memory/3776-2665-0x000000000D7F0000-0x000000000D9FC000-memory.dmp

    Filesize

    2.0MB