banload | 6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564

Analysis

max time kernel
125s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
Size

123KB
MD5

68fc0a389597e08de8d2668f768283c3
SHA1

ca00a153d98913a1d00ef500b522d9a85de5cb3a
SHA256

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564
SHA512

8f393fbdab6fdc720156f396d60ef0ecbfaa6485b9c5d375dd1a3bf1f00fb40daa656b39cf2e18641f4692b4d2c1cbd9ccad3b1f52191aac9a83fbaee314d3ca
SSDEEP

1536:ELXB65939tY6HBg4sXJWAchXFW8KfHzb4+LnVRAchXFnIfbmUOcVf2S7naxI:ELk395hYXJWAcm8tWnvAcYfiDoH

Score

10^/10

banload discovery downloader dropper evasion spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

GLWorker.exeGLWorker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GLWorker.exeGLWorker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 10 IoCs

Processes:

GamesManagerInstaller.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exepreinstall-options.exeGLWorker.exeGLWorker.exe

pid	process
2816	GamesManagerInstaller.exe
1464	GamesManager.exe
2928	GamesManager.exe
2292	GamesManager.exe
1140	GamesManager.exe
680	GamesManager.exe
1836	GamesManager.exe
2964	preinstall-options.exe
960	GLWorker.exe
988	GLWorker.exe

Loads dropped DLL 64 IoCs

Processes:

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exeGamesManagerInstaller.exe

pid	process
1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

GamesManager.exepreinstall-options.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exeGLWorker.exeGLWorker.exe6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exeGamesManagerInstaller.exeGamesManager.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	preinstall-options.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManagerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe	nsis_installer_2

Modifies registry class 53 IoCs

Processes:

GLWorker.exeGamesManager.exeGLWorker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\pghKuF = "s\|r@XbHzsMw\x7ftoVjYMfkz~"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\YahooArcade	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\14.0.0.0	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\uvcs = "QsFBEehQ~gIDGAdQa\\SqE"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\uvcs = "_ms\|v\\PjgdevfDgsGaHu}"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\wfuq = "Dc\x7fGxHpbFlo"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\Vxagazaqa = "RaIkOZht~Rf_pNuZb\\"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\WMqfU = "iMwx\\DenxGdTdGb\|JIJT\|NJGyDC"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\EhnilpsEjm = "BXurTsN@\|{p}LZCtMCbcWG@Oc"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\IplayArcade	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\WMqfU = "{nr{]H[eIJADAEhayX\\i\\v~\x7fwoD"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\uvcs = "_mC\|v\\PjgdUvfDgsGaHu}"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\wfuq = "rOQqKurpL`j"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Access, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\wfuq = "Tc\x7fGxIQdd[o"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\Assembly = "Microsoft.Office.Interop.Access, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameName = "Jewel Quest"	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\InstallDir = "C:\\Users\\Admin\\AppData\\Local\\UGMgames\\110341560\\55\\Jewel Quest"	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\Class = "Microsoft.Office.Interop.Access.AllModulesClass"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\cqwi = "Ir\|tN{tvLXyHe\x7faWsGFz{GK}sL"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\wfuq = "dc\x7fGxIQMenP"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\YahooArcade	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\msaDrwixvyl = "FRZGDvfgd}Qe[]pDV"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\wfuq = "BOQqKurYMUU"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\wfuq = "tc\x7fGxKaGsnm"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameSrc = "IWIN_NI"	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\wfuq = "bOQqKwBzZ`W"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Access.AllModulesClass"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\fxoe = "x_xduaXsWYZxkWqaQ"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\55 = "Jewel Quest"	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameID = "55"	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\cqwi = "Ir\|tN{tvLXyHe\x7faWsGFz{GK}sO"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\pghKuF = "NYMSskVihSD[ZavojizFRI"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameExe = "GameLauncher.exe"	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\RuntimeVersion = "v2.0.50727"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\cqwi = "lpC_vPCZ_Shv[VjDZKEgWxA_Tc"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\fxoe = "xQFiPz\x7fKdNyNgQK_A"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\EhnilpsEjm = "RYuc_rZvfXfiPrkngGRDF[IJJ"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\uvcs = "QsvBEehQ~gyDGAdQa\\SqE"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\cqwi = "lpC_vPCZ_Shv[VjDZKEgWxA_T`"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\Vxagazaqa = "jdc\|\x7f^P~HVZQ`@d[[y"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\wfuq = "ROQqKtS_obU"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\msaDrwixvyl = "bhq~~DcLc\x7fOHJwenH"	GLWorker.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GamesManager.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	GamesManager.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

GamesManagerInstaller.exe

pid	process
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe
2816	GamesManagerInstaller.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXEGLWorker.exeGLWorker.exe

description	pid	process
Token: 33	1360	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1360	AUDIODG.EXE
Token: 33	1360	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1360	AUDIODG.EXE
Token: 33	960	GLWorker.exe
Token: SeIncBasePriorityPrivilege	960	GLWorker.exe
Token: 33	988	GLWorker.exe
Token: SeIncBasePriorityPrivilege	988	GLWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GamesManager.exe

pid process

1464 GamesManager.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

GamesManager.exe

pid process

1464 GamesManager.exe

pid	process
1464	GamesManager.exe

pid	process
1464	GamesManager.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exeGamesManagerInstaller.exeGamesManager.exe

description	pid	process	target process
PID 1840 wrote to memory of 2816	1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 1840 wrote to memory of 2816	1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 1840 wrote to memory of 2816	1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 1840 wrote to memory of 2816	1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 1840 wrote to memory of 2816	1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 1840 wrote to memory of 2816	1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 1840 wrote to memory of 2816	1840	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 2816 wrote to memory of 1464	2816	GamesManagerInstaller.exe	GamesManager.exe
PID 2816 wrote to memory of 1464	2816	GamesManagerInstaller.exe	GamesManager.exe
PID 2816 wrote to memory of 1464	2816	GamesManagerInstaller.exe	GamesManager.exe
PID 2816 wrote to memory of 1464	2816	GamesManagerInstaller.exe	GamesManager.exe
PID 1464 wrote to memory of 2928	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2928	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2928	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2928	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2292	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2292	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2292	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2292	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1140	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1140	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1140	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1140	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 680	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 680	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 680	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 680	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1836	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1836	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1836	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 1836	1464	GamesManager.exe	GamesManager.exe
PID 1464 wrote to memory of 2964	1464	GamesManager.exe	preinstall-options.exe
PID 1464 wrote to memory of 2964	1464	GamesManager.exe	preinstall-options.exe
PID 1464 wrote to memory of 2964	1464	GamesManager.exe	preinstall-options.exe
PID 1464 wrote to memory of 2964	1464	GamesManager.exe	preinstall-options.exe
PID 1464 wrote to memory of 2964	1464	GamesManager.exe	preinstall-options.exe
PID 1464 wrote to memory of 2964	1464	GamesManager.exe	preinstall-options.exe
PID 1464 wrote to memory of 2964	1464	GamesManager.exe	preinstall-options.exe
PID 1464 wrote to memory of 960	1464	GamesManager.exe	GLWorker.exe
PID 1464 wrote to memory of 960	1464	GamesManager.exe	GLWorker.exe
PID 1464 wrote to memory of 960	1464	GamesManager.exe	GLWorker.exe
PID 1464 wrote to memory of 960	1464	GamesManager.exe	GLWorker.exe
PID 1464 wrote to memory of 988	1464	GamesManager.exe	GLWorker.exe
PID 1464 wrote to memory of 988	1464	GamesManager.exe	GLWorker.exe
PID 1464 wrote to memory of 988	1464	GamesManager.exe	GLWorker.exe
PID 1464 wrote to memory of 988	1464	GamesManager.exe	GLWorker.exe

C:\Users\Admin\AppData\Local\Temp\6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
"C:\Users\Admin\AppData\Local\Temp\6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\GamesManagerInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\GamesManagerInstaller.exe" -installer.createiwinshortcuts=yes -config.channel=110341560 -config.uri=http://gm/iwin/index.html -config.channelName=Iplay -config.iwinrequest="PF/55/5499671643818231075/13/0"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
    "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.channel="110341560" -config.iwinrequest="PF/55/5499671643818231075/13/0"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=renderer --no-sandbox --service-pipe-token=05D90F3FE53F87FF82FDA032758F1227 --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=05D90F3FE53F87FF82FDA032758F1227 --renderer-client-id=2 --mojo-platform-channel-handle=2080 /prefetch:1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2928
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --disable-direct-composition --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,13,22,23,24,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=2F9EF1E141EE7B4E1F312FDBBB9E8D2B --mojo-platform-channel-handle=2640 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2292
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --disable-direct-composition --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,13,22,23,24,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=ECCAE903A6D29C9B36248996A7DE6E2F --mojo-platform-channel-handle=2868 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1140
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --disable-direct-composition --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,13,22,23,24,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=7F21872FD48087C226A2B1AB7FC368EE --mojo-platform-channel-handle=2732 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:680
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --disable-direct-composition --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,13,22,23,24,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/6.1 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=3CE48326F1DE4D5868165D88A256292F --mojo-platform-channel-handle=2656 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
      "C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=55 /S
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2964
  - - C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe
      "C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5499671643750529305
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe
      "C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5499671643750529305
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x258
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

Filesize
380KB

MD5
ca17a91ba93ac3107487483aff70f7b4

SHA1
3cc944baa4b652889d447556132c2216fd32f781

SHA256
e2adb14b28525bdf844cec0ed47d51232f705489ecb548053c30b5040832ae00

SHA512
745aebeac40d716e7cef02a11bab0083e20554fc741ec3edd1456912dbe02c74559d791b3bc6ee7adfb018deb6bb231b8f0f88cc7a417f40219c7c2b48d1fda9

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\20000002\channel.ico

Filesize
17KB

MD5
fbcad071529c2eb58475faf63d477023

SHA1
1c4a36142ff3042bb30aaf242791d3b26b9865c4

SHA256
1e53c4fc7d6181d4c69e4adf2500d4e1c329c4b491dfad240119479531967dfa

SHA512
0231a1d5e1e578cb1d381955299fd6427363d34ffe232b3e9e8c06f55763fbde0a2cb00cbe7be5f069bd1292e26161d8274cdc18d69bf427944ab28722e56b21

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe

Filesize
3.7MB

MD5
ff948b22cb83729c3825101e506319f2

SHA1
c1f8f7f7241465a378740cf14c3003818855d8c2

SHA256
4498cac4be3beb2f0733ab6e0d5a3add87270920a4ef08a7f82f46f98fa1cc2a

SHA512
81cf71f9571df6905309edd770ebdb9170b1a1d678bd1187100e43e8f336934080cfeb59558c2d18f05a110d6be2e9860d29419bf2831cb9108495af6538cfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC40C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC5E3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse29DF.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5DBC.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

Filesize
77KB

MD5
455171a0d8585480d318102d13ca1faf

SHA1
16263b90994f2882ae03d8d190dca0df1204c0a2

SHA256
626953268197dacf5491197a3c4c60b4f2a14c3e878efb640eb48f34c9b23e31

SHA512
8961af0da23f63f5f4fa258bc6532e7ba95ffcdfed71ab813fa0715696b70452f4ef127ed08391edf22dd1fe01e38ee1921551ecba9bb5a79ef18d44ca16d11d

Download Submit
C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe

Filesize
1.8MB

MD5
c1e8e93c614d3fdb8f092a8248dd58cb

SHA1
e14669f32d4fa59a9504cad98bd41463b014be2c

SHA256
2f5be3879d6d79ee0521833109cc885ebffb918b4e94292d3db826841b5b0fc3

SHA512
1e0d8aa95e3a4c9908ac8c56320cc378e84c739b2805b07a795b3b4b6a591e5d1e28f839074535d05c16aad27fd48dae8d139ab910ee65d38893c1edfdaf6cc4

Download Submit
C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\game.zip

Filesize
12.8MB

MD5
49aad72e86565fcb320d2f6370f27225

SHA1
ac05eb7c2bcd79e9599a94492a5a55396dc97e45

SHA256
dc1babcda4e7fff6f9ca7e5ed81b2231604e5473e55275343560bb62925ea5b4

SHA512
0b86ba7722e894564a50c4376a87237dd3a2be45fb9cbaf5bd0c8269b5d28d9674e03651b29124e20c8f520d80e6634e7f1fb7a9a9b15a90ecd20e624a7b0890

Download Submit
\Users\Admin\AppData\Local\Temp\nse5DBC.tmp\INetC.dll

Filesize
25KB

MD5
e7ebd034dacf96fcc0c7a35c62477d21

SHA1
cd372d0607d94b48ac84a1738ed434df4d882f22

SHA256
dc84aa66f398781fe76eecf90fc6613f729076552d4b268269228b754bfd70d2

SHA512
df367b39c7c62ba2df1d50cbe3dbc97a7a2719fae7684330b4df971f0742c3447f0beb2d295a206522bbce6fbd0053d188d159f7236b6953d35cbf51aecc1bf3

Download Submit
\Users\Admin\AppData\Local\Temp\nse5DBC.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\GamesManagerInstaller.exe

Filesize
44.1MB

MD5
1614a4e091c3e4f6cdf345d3b2ad1339

SHA1
db8c06c407c79bf51ce3efebb228a9114c9b979e

SHA256
1fbc927f228f5d1a33ecc7faf44aea4c4e2c17a7080bdcaba2d6e094d9749506

SHA512
5e5b337b306983e73be46e7bd4ac50cb01e317622b0c1de8aff71d050e85c120447b0dd1fff28e0de19a3d13542b1dac836d6c8bdd92b5238e57e59759e76fb1

Download Submit
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/960-1276-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1286-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1287-0x0000000002590000-0x000000000279C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1291-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1277-0x0000000002590000-0x000000000279C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1281-0x0000000002590000-0x000000000279C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1284-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1285-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/960-1289-0x0000000002590000-0x000000000279C000-memory.dmp

Filesize
2.0MB

Download
memory/988-1312-0x00000000024D0000-0x00000000026DC000-memory.dmp

Filesize
2.0MB

Download
memory/988-1300-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/988-1305-0x00000000024D0000-0x00000000026DC000-memory.dmp

Filesize
2.0MB

Download
memory/988-1302-0x00000000024D0000-0x00000000026DC000-memory.dmp

Filesize
2.0MB

Download
memory/988-1318-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/988-1316-0x00000000024D0000-0x00000000026DC000-memory.dmp

Filesize
2.0MB

Download
memory/988-1311-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/988-1310-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/988-1309-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1464-1275-0x000000000A420000-0x000000000A62C000-memory.dmp

Filesize
2.0MB

Download
memory/1464-1274-0x000000000A420000-0x000000000A62C000-memory.dmp

Filesize
2.0MB

Download
memory/1464-1327-0x000000000A540000-0x000000000A74C000-memory.dmp

Filesize
2.0MB

Download
memory/2928-744-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download