banload | 6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564

Analysis

max time kernel
134s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
Size

123KB
MD5

68fc0a389597e08de8d2668f768283c3
SHA1

ca00a153d98913a1d00ef500b522d9a85de5cb3a
SHA256

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564
SHA512

8f393fbdab6fdc720156f396d60ef0ecbfaa6485b9c5d375dd1a3bf1f00fb40daa656b39cf2e18641f4692b4d2c1cbd9ccad3b1f52191aac9a83fbaee314d3ca
SSDEEP

1536:ELXB65939tY6HBg4sXJWAchXFW8KfHzb4+LnVRAchXFnIfbmUOcVf2S7naxI:ELk395hYXJWAcm8tWnvAcYfiDoH

Score

10^/10

banload discovery downloader dropper evasion spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

GLWorker.exeGLWorker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GLWorker.exeGLWorker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GamesManager.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	GamesManager.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 10 IoCs

Processes:

GamesManagerInstaller.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exepreinstall-options.exeGLWorker.exeGLWorker.exe

pid	process
4860	GamesManagerInstaller.exe
4600	GamesManager.exe
4936	GamesManager.exe
536	GamesManager.exe
1540	GamesManager.exe
3556	GamesManager.exe
3620	GamesManager.exe
1424	preinstall-options.exe
4564	GLWorker.exe
4116	GLWorker.exe

Loads dropped DLL 64 IoCs

Processes:

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exeGamesManagerInstaller.exe

pid	process
2684	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
2684	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
2684	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2256	536	WerFault.exe	GamesManager.exe
2960	1540	WerFault.exe	GamesManager.exe
3992	3556	WerFault.exe	GamesManager.exe
3368	3620	WerFault.exe	GamesManager.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

GamesManager.exeGamesManager.exeGLWorker.exeGamesManager.exeGamesManagerInstaller.exeGamesManager.exeGamesManager.exeGamesManager.exepreinstall-options.exeGLWorker.exe6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManagerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamesManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	preinstall-options.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe	nsis_installer_2

Modifies registry class 57 IoCs

Processes:

GLWorker.exeGLWorker.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exeGamesManager.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\pdpoer = "`@d[[yFRZGDvfgd}Qe[]pDVNYMSskVi"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\ProgID\ = "Microsoft.PhotoAcqOptionsDlg.1"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\clwBrpq = "hSD[ZavJL`TbBI_ms\|v\\Pjgdev"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\ebmksbgJuQ = "JGyDCIr\|tN{tvLXyHe\x7faWsGFz{"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameID = "55"	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\VersionIndependentProgID\ = "Microsoft.PhotoAcqOptionsDlg"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\qvrhfoGGo = "GK}sOrOQqKu\|Gl]U"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\qvrhfoGGo = "GK}sObOQqKwLMz]h"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\dTyicuajabhq = "GAdQa\\SqE{nr{]H[eIJADAEhayX\\i\\v"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\YahooArcade	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameExe = "GameLauncher.exe"	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\ = "PhotoAcquireOptionsDialog"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\zjcpfiAgFj = "ngGRDF[IJJjdc\|\x7f^P~HVZQ"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\clwBrpq = "sMw\x7ftoVO\x7fDHOj~QsvBEehQ~gyD"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\ebmksbgJuQ = "~\x7fwoDlpC_vPCZ_Shv[VjDZKEgW"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\oInlvbtn	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\oInlvbtn	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\clwBrpq = "hSD[ZavJL`TbBI_mC\|v\\PjgdUv"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\55 = "Jewel Quest"	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\gszokGcJ = "x_xduaXsWYZxkWqaQBXurTsN@\|{p}LZC"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\YahooArcade	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameName = "Jewel Quest"	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\Version	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\VersionIndependentProgID	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\zjcpfiAgFj = "tMCbcWG@OcRaIkOZht~Rf_"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\qvrhfoGGo = "xA_T`Tc\x7fGxI_SDfP"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\dTyicuajabhq = "fDgsGaHu}iMwx\\DenxGdTdGb\|JIJT\|N"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\qvrhfoGGo = "GK}sOBOQqKu\|nmhj"	GLWorker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{3252ADC2-1EB0-40B2-9BFD-8A3920F65E31}	GamesManager.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{5407E973-37B3-4F25-B66E-D83C91F6BAFF}	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE	GamesManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node	GamesManager.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{113D1955-FCD9-483E-8539-E5126D6A8448}	GamesManager.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{F2174BD7-131D-4A4E-9005-2262841408E9}	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\qvrhfoGGo = "GK}sLROQqKt]hO_j"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\qvrhfoGGo = "xA_TcDc\x7fGxH~UfQP"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest	GamesManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\InstallDir = "C:\\Users\\Admin\\AppData\\Local\\UGMgames\\110341560\\55\\Jewel Quest"	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\clwBrpq = "sMw\x7ftoVO\x7fDHOj~QsFBEehQ~gID"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\qvrhfoGGo = "xA_T`dc\x7fGxI_zESo"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\qvrhfoGGo = "xA_T`tc\x7fGxKopSSR"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\Version\ = "1.0"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\pdpoer = "pNuZb\\bhq~~DcLc\x7fOHJwenHs\|r@XbHz"	GLWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\IplayArcade	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\ProgID	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\TypeLib	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\{6C1A9365-FF7F-13D1-B2E4-0060975B8649}\gszokGcJ = "xQFiPz\x7fKdNyNgQK_ARYuc_rZvfXfiPrk"	GLWorker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\IplayArcade\Jewel Quest\GameSrc = "IWIN_NI"	GamesManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26F16E7E-BCC9-B70E-8FA0-0B9B0CB7211A}\InprocServer32\ThreadingModel = "Apartment"	GLWorker.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GamesManager.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	GamesManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	GamesManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	GamesManager.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

GamesManagerInstaller.exe

pid	process
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe
4860	GamesManagerInstaller.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEGLWorker.exeGLWorker.exe

description	pid	process
Token: 33	4048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4048	AUDIODG.EXE
Token: 33	4564	GLWorker.exe
Token: SeIncBasePriorityPrivilege	4564	GLWorker.exe
Token: 33	4116	GLWorker.exe
Token: SeIncBasePriorityPrivilege	4116	GLWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GamesManager.exe

pid process

4600 GamesManager.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

GamesManager.exe

pid process

4600 GamesManager.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

preinstall-options.exe

pid process

1424 preinstall-options.exe

pid	process
4600	GamesManager.exe

pid	process
4600	GamesManager.exe

pid	process
1424	preinstall-options.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exeGamesManagerInstaller.exeGamesManager.exe

description	pid	process	target process
PID 2684 wrote to memory of 4860	2684	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 2684 wrote to memory of 4860	2684	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 2684 wrote to memory of 4860	2684	6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe	GamesManagerInstaller.exe
PID 4860 wrote to memory of 4600	4860	GamesManagerInstaller.exe	GamesManager.exe
PID 4860 wrote to memory of 4600	4860	GamesManagerInstaller.exe	GamesManager.exe
PID 4860 wrote to memory of 4600	4860	GamesManagerInstaller.exe	GamesManager.exe
PID 4600 wrote to memory of 4936	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 4936	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 4936	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 536	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 536	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 536	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 1540	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 1540	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 1540	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 3556	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 3556	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 3556	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 3620	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 3620	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 3620	4600	GamesManager.exe	GamesManager.exe
PID 4600 wrote to memory of 1424	4600	GamesManager.exe	preinstall-options.exe
PID 4600 wrote to memory of 1424	4600	GamesManager.exe	preinstall-options.exe
PID 4600 wrote to memory of 1424	4600	GamesManager.exe	preinstall-options.exe
PID 4600 wrote to memory of 4564	4600	GamesManager.exe	GLWorker.exe
PID 4600 wrote to memory of 4564	4600	GamesManager.exe	GLWorker.exe
PID 4600 wrote to memory of 4564	4600	GamesManager.exe	GLWorker.exe
PID 4600 wrote to memory of 4116	4600	GamesManager.exe	GLWorker.exe
PID 4600 wrote to memory of 4116	4600	GamesManager.exe	GLWorker.exe
PID 4600 wrote to memory of 4116	4600	GamesManager.exe	GLWorker.exe

C:\Users\Admin\AppData\Local\Temp\6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe
"C:\Users\Admin\AppData\Local\Temp\6c014c435999946756265c8f7ebe8e967ee68d9a79fd458b942a16185e9fb564.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\nsfB8C2.tmp\GamesManagerInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nsfB8C2.tmp\GamesManagerInstaller.exe" -installer.createiwinshortcuts=yes -config.channel=110341560 -config.uri=http://gm/iwin/index.html -config.channelName=Iplay -config.iwinrequest="PF/55/5499671643818231075/13/0"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
    "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.channel="110341560" -config.iwinrequest="PF/55/5499671643818231075/13/0"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=renderer --no-sandbox --service-pipe-token=BD586F4F1C21EEB35202289F200AB278 --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=BD586F4F1C21EEB35202289F200AB278 --renderer-client-id=2 --mojo-platform-channel-handle=3028 /prefetch:1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4936
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,23,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=B23EEF5D6CD46B0ED9453D9885F6647F --mojo-platform-channel-handle=3736 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1264
        5⤵
        Program crash
        
        PID:2256
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,23,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=78F395BE4CA2CF2C55CF53D6A8EB5243 --mojo-platform-channel-handle=3896 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 808
        5⤵
        Program crash
        
        PID:2960
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,23,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=E48E6AAF513533A7686E2F9834C84409 --mojo-platform-channel-handle=3860 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 808
        5⤵
        Program crash
        
        PID:3992
  - - C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
      "C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --use-gl=swiftshader-webgl --supports-dual-gpus=false --gpu-driver-bug-workarounds=9,12,23,27,49,84 --disable-gl-extensions="GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent" --disable-accelerated-video-decode --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) NextDM/3.9.6.631 Chromium/61.0.0.0 Chrome/61.0.0.0 GamesManager/3.9.6.631 110341560 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --service-request-channel-token=F62B6D3734D339F3A8F517D73C82A846 --mojo-platform-channel-handle=3656 /prefetch:2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 808
        5⤵
        Program crash
        
        PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
      "C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=55 /S
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1424
  - - C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe
      "C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5499671643750529305
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe
      "C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid5499671643750529305
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 536 -ip 536
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1540 -ip 1540
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3556 -ip 3556
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3620 -ip 3620
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

Filesize
380KB

MD5
ca17a91ba93ac3107487483aff70f7b4

SHA1
3cc944baa4b652889d447556132c2216fd32f781

SHA256
e2adb14b28525bdf844cec0ed47d51232f705489ecb548053c30b5040832ae00

SHA512
745aebeac40d716e7cef02a11bab0083e20554fc741ec3edd1456912dbe02c74559d791b3bc6ee7adfb018deb6bb231b8f0f88cc7a417f40219c7c2b48d1fda9

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\20000002\channel.ico

Filesize
17KB

MD5
fbcad071529c2eb58475faf63d477023

SHA1
1c4a36142ff3042bb30aaf242791d3b26b9865c4

SHA256
1e53c4fc7d6181d4c69e4adf2500d4e1c329c4b491dfad240119479531967dfa

SHA512
0231a1d5e1e578cb1d381955299fd6427363d34ffe232b3e9e8c06f55763fbde0a2cb00cbe7be5f069bd1292e26161d8274cdc18d69bf427944ab28722e56b21

Download Submit
C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe

Filesize
3.7MB

MD5
ff948b22cb83729c3825101e506319f2

SHA1
c1f8f7f7241465a378740cf14c3003818855d8c2

SHA256
4498cac4be3beb2f0733ab6e0d5a3add87270920a4ef08a7f82f46f98fa1cc2a

SHA512
81cf71f9571df6905309edd770ebdb9170b1a1d678bd1187100e43e8f336934080cfeb59558c2d18f05a110d6be2e9860d29419bf2831cb9108495af6538cfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8AC7.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB8C2.tmp\GamesManagerInstaller.exe

Filesize
44.1MB

MD5
1614a4e091c3e4f6cdf345d3b2ad1339

SHA1
db8c06c407c79bf51ce3efebb228a9114c9b979e

SHA256
1fbc927f228f5d1a33ecc7faf44aea4c4e2c17a7080bdcaba2d6e094d9749506

SHA512
5e5b337b306983e73be46e7bd4ac50cb01e317622b0c1de8aff71d050e85c120447b0dd1fff28e0de19a3d13542b1dac836d6c8bdd92b5238e57e59759e76fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB8C2.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB8C2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBE4.tmp\INetC.dll

Filesize
25KB

MD5
e7ebd034dacf96fcc0c7a35c62477d21

SHA1
cd372d0607d94b48ac84a1738ed434df4d882f22

SHA256
dc84aa66f398781fe76eecf90fc6613f729076552d4b268269228b754bfd70d2

SHA512
df367b39c7c62ba2df1d50cbe3dbc97a7a2719fae7684330b4df971f0742c3447f0beb2d295a206522bbce6fbd0053d188d159f7236b6953d35cbf51aecc1bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBE4.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBE4.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

Filesize
77KB

MD5
455171a0d8585480d318102d13ca1faf

SHA1
16263b90994f2882ae03d8d190dca0df1204c0a2

SHA256
626953268197dacf5491197a3c4c60b4f2a14c3e878efb640eb48f34c9b23e31

SHA512
8961af0da23f63f5f4fa258bc6532e7ba95ffcdfed71ab813fa0715696b70452f4ef127ed08391edf22dd1fe01e38ee1921551ecba9bb5a79ef18d44ca16d11d

Download Submit
C:\Users\Admin\AppData\Local\UGMgames\110341560\55\Jewel Quest\game.zip

Filesize
12.8MB

MD5
49aad72e86565fcb320d2f6370f27225

SHA1
ac05eb7c2bcd79e9599a94492a5a55396dc97e45

SHA256
dc1babcda4e7fff6f9ca7e5ed81b2231604e5473e55275343560bb62925ea5b4

SHA512
0b86ba7722e894564a50c4376a87237dd3a2be45fb9cbaf5bd0c8269b5d28d9674e03651b29124e20c8f520d80e6634e7f1fb7a9a9b15a90ecd20e624a7b0890

Download Submit
memory/4116-1218-0x0000000002920000-0x0000000002B2C000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1233-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1226-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1232-0x0000000002920000-0x0000000002B2C000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1227-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1228-0x0000000002920000-0x0000000002B2C000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1225-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1221-0x0000000002920000-0x0000000002B2C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1193-0x0000000002C00000-0x0000000002E0C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1200-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1202-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1207-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1205-0x0000000002C00000-0x0000000002E0C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1201-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1203-0x0000000002C00000-0x0000000002E0C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1197-0x0000000002C00000-0x0000000002E0C000-memory.dmp

Filesize
2.0MB

Download
memory/4564-1191-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/4936-665-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download