f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e

Analysis

max time kernel
146s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/09/2023, 18:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
Size

3.4MB
MD5

e1e941b059b42eac91aa6d202f25cea4
SHA1

9491962bb2dc1dae6ffd30b444ee307db31869b0
SHA256

f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e
SHA512

3e2e28d1d6e50330dfddab02ae52f51d685e3b6c45e9200b9a1ff95f7dcf5188f18a8a64c10bf68969517a59e001895add9602b206e4ce6686c3a54fb2ee98ff
SSDEEP

49152:uUlKbsdQz7kD/PVTmTN9JgrgNTcFJD+UUL3qFgxhOO23TSUh1P65Cfcg/zd:plKYdc0nVacFJRFAhUhU5CfJ

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SpSvc\Parameters\ServiceDll = "C:\\MobileEmuMaster\\Utils\\spsvc.dll"	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SpSvc\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs"	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe

Executes dropped EXE 5 IoCs

pid	Process
2840	MobileEmuHelper.exe
1640	LDSGameHall.exe
2092	update.exe
2160	LDSGameRun.exe
2548	ComputerZ14.exe

Loads dropped DLL 64 IoCs

pid	Process
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
2840	MobileEmuHelper.exe
2840	MobileEmuHelper.exe
2840	MobileEmuHelper.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1936	svchost.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1996	RegSvr32.exe
2024	RegSvr32.exe
808	regsvr32.exe
2524	regsvr32.exe
1204	Process not Found
1936	svchost.exe
1204	Process not Found
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
2092	update.exe
2092	update.exe
2092	update.exe
2092	update.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1640	LDSGameHall.exe
1936	svchost.exe
2092	update.exe
2092	update.exe
2092	update.exe
1640	LDSGameHall.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe

Registers COM server for autorun 1 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E18ACF9-8A61-4A6C-A770-6F739037317F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E18ACF9-8A61-4A6C-A770-6F739037317F}\InprocServer32\ = "C:\\MobileEmuMaster\\GameMemoryOpt_x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\InprocServer32\ = "C:\\MobileEmuMaster\\Plugin\\ShellExt_x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\InProcServer32\ = "C:\\MobileEmuMaster\\Plugin\\ShellExt_x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E18ACF9-8A61-4A6C-A770-6F739037317F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\X:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\S:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\J:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\O:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\H:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\G:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\L:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\M:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\Q:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\R:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\W:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\Y:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\E:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\I:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\K:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\N:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\P:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\T:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\U:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\Z:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened (read-only)	\??\F:	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
File opened for modification	\??\PhysicalDrive0	MobileEmuHelper.exe
File opened for modification	\??\PhysicalDrive0	LDSGameHall.exe
File opened for modification	\??\PhysicalDrive0	update.exe
File opened for modification	\??\PhysicalDrive0	LDSGameRun.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_CE18D35E70C72FBD424F3A4C77930458	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_D5465C6C6A6448F602B724ACE9B47F69	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_CE18D35E70C72FBD424F3A4C77930458	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\360NetUL\svchost.netul.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_D5465C6C6A6448F602B724ACE9B47F69	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	LDSGameRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	LDSGameHall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\LDSGameHall.exe = "1"	LDSGameHall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\LDSGameHall.exe = "11001"	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	LDSGameHall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\LDSGameHall.exe = "1"	LDSGameHall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\LDSGameHall.exe = "1"	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS	LDSGameHall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALIGNED_TIMERS\LDSGameHall.exe = "1"	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	LDSGameHall.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E18ACF9-8A61-4A6C-A770-6F739037317F}\InprocServer32\ = "C:\\MobileEmuMaster\\GameMemoryOpt_x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\DefaultIcon	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\ = "apkfile_ldsgame"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\ShellEx\IconHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{7AF42AD7-2C1D-4CAD-B0EC-7BD8B5EE6346}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExt.ShellIcon\CLSID\ = "{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\ = "IShellApkInfo2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E18ACF9-8A61-4A6C-A770-6F739037317F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\ = "ShellIcon Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\TypeLib\ = "{32fe7cb4-3936-41af-bf31-6f8fc8f86ac9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\ShellEx\{00021500-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E18ACF9-8A61-4A6C-A770-6F739037317F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\Shell\Open\Command\ = "\"C:\\MobileEmuMaster\\LDSGameHall\\LDSGameHall.exe\" /from_shell /DisplayMode=full /RunApkFile=\"%1\""	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExt.ShellIcon.1\ = "ShellIcon Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExt.ShellIcon.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\TypeLib\ = "{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\Shell\Open	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\Shell\使用手机模拟大师打开\Command\ = "\"C:\\MobileEmuMaster\\LDSGameHall\\LDSGameHall.exe\" /from_shell /DisplayMode=full /RunApkFile=\"%1\""	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExt.ShellIcon\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}\1.0\0\win64\ = "C:\\MobileEmuMaster\\Plugin\\ShellExt_x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}\1.0\HELPDIR\ = "C:\\MobileEmuMaster\\Plugin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\ = "IShellApkInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\TypeLib\ = "{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\Shell\使用手机模拟大师打开\Command	LDSGameHall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\TypeLib\ = "{32FE7CB4-3936-41AF-BF31-6F8FC8F86AC9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\Shell	LDSGameHall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\ = "IShellApkInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94800CF5-4B69-43ED-A69E-5358DE0BCF6E}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7af42ad7-2c1d-4cad-b0ec-7bd8b5ee6346}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E18ACF9-8A61-4A6C-A770-6F739037317F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\apkfile_ldsgame\Shell\Open\Command	LDSGameHall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94800CF5-4B69-43ED-A69E-5358DE0BCF6D}\InProcServer32\ = "C:\\MobileEmuMaster\\Plugin\\ShellExt_x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExt.ShellIcon.1	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	LDSGameRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	LDSGameRun.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	LDSGameRun.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	LDSGameRun.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	LDSGameRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	LDSGameRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
2840	MobileEmuHelper.exe
1936	svchost.exe
1936	svchost.exe
1640	LDSGameHall.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe
1936	svchost.exe
2160	LDSGameRun.exe
2160	LDSGameRun.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
Token: SeDebugPrivilege	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
Token: SeDebugPrivilege	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
Token: SeDebugPrivilege	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
Token: 33	1640	LDSGameHall.exe
Token: SeIncBasePriorityPrivilege	1640	LDSGameHall.exe
Token: SeDebugPrivilege	2160	LDSGameRun.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1640	LDSGameHall.exe
1640	LDSGameHall.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2840	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	29
PID 1200 wrote to memory of 2840	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	29
PID 1200 wrote to memory of 2840	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	29
PID 1200 wrote to memory of 2840	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	29
PID 1200 wrote to memory of 2024	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	31
PID 1200 wrote to memory of 2024	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	31
PID 1200 wrote to memory of 2024	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	31
PID 1200 wrote to memory of 2024	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	31
PID 1200 wrote to memory of 2024	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	31
PID 1200 wrote to memory of 2024	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	31
PID 1200 wrote to memory of 2024	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	31
PID 1200 wrote to memory of 1996	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	32
PID 1200 wrote to memory of 1996	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	32
PID 1200 wrote to memory of 1996	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	32
PID 1200 wrote to memory of 1996	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	32
PID 1200 wrote to memory of 1996	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	32
PID 1200 wrote to memory of 1996	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	32
PID 1200 wrote to memory of 1996	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	32
PID 2024 wrote to memory of 2524	2024	RegSvr32.exe	33
PID 2024 wrote to memory of 2524	2024	RegSvr32.exe	33
PID 2024 wrote to memory of 2524	2024	RegSvr32.exe	33
PID 2024 wrote to memory of 2524	2024	RegSvr32.exe	33
PID 2024 wrote to memory of 2524	2024	RegSvr32.exe	33
PID 2024 wrote to memory of 2524	2024	RegSvr32.exe	33
PID 2024 wrote to memory of 2524	2024	RegSvr32.exe	33
PID 1996 wrote to memory of 808	1996	RegSvr32.exe	34
PID 1996 wrote to memory of 808	1996	RegSvr32.exe	34
PID 1996 wrote to memory of 808	1996	RegSvr32.exe	34
PID 1996 wrote to memory of 808	1996	RegSvr32.exe	34
PID 1996 wrote to memory of 808	1996	RegSvr32.exe	34
PID 1996 wrote to memory of 808	1996	RegSvr32.exe	34
PID 1996 wrote to memory of 808	1996	RegSvr32.exe	34
PID 1200 wrote to memory of 1640	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	37
PID 1200 wrote to memory of 1640	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	37
PID 1200 wrote to memory of 1640	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	37
PID 1200 wrote to memory of 1640	1200	f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe	37
PID 1640 wrote to memory of 2092	1640	LDSGameHall.exe	38
PID 1640 wrote to memory of 2092	1640	LDSGameHall.exe	38
PID 1640 wrote to memory of 2092	1640	LDSGameHall.exe	38
PID 1640 wrote to memory of 2092	1640	LDSGameHall.exe	38
PID 1640 wrote to memory of 2092	1640	LDSGameHall.exe	38
PID 1640 wrote to memory of 2092	1640	LDSGameHall.exe	38
PID 1640 wrote to memory of 2092	1640	LDSGameHall.exe	38
PID 1640 wrote to memory of 2160	1640	LDSGameHall.exe	39
PID 1640 wrote to memory of 2160	1640	LDSGameHall.exe	39
PID 1640 wrote to memory of 2160	1640	LDSGameHall.exe	39
PID 1640 wrote to memory of 2160	1640	LDSGameHall.exe	39
PID 1936 wrote to memory of 2548	1936	svchost.exe	42
PID 1936 wrote to memory of 2548	1936	svchost.exe	42
PID 1936 wrote to memory of 2548	1936	svchost.exe	42
PID 1936 wrote to memory of 2548	1936	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe
"C:\Users\Admin\AppData\Local\Temp\f4a4d823df9f181439042e62c776f49a801907228264a44766f985ac4166e74e.exe"
1⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200
- C:\MobileEmuMaster\Utils\MobileEmuHelper.exe
  C:\MobileEmuMaster\Utils\MobileEmuHelper.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Windows\SysWOW64\RegSvr32.exe
  "C:\Windows\System32\RegSvr32.exe" /s /i "C:\MobileEmuMaster\GameMemoryOpt_x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\regsvr32.exe
    /s /i "C:\MobileEmuMaster\GameMemoryOpt_x64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2524
- C:\Windows\SysWOW64\RegSvr32.exe
  "C:\Windows\System32\RegSvr32.exe" /s /i "C:\MobileEmuMaster\Plugin\ShellExt_x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\regsvr32.exe
    /s /i "C:\MobileEmuMaster\Plugin\ShellExt_x64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:808
- C:\MobileEmuMaster\LDSGameHall\LDSGameHall.exe
  "C:\MobileEmuMaster\LDSGameHall\LDSGameHall.exe" /DisplayMode="hide" /From="inst" /HideBoot /NewInstall /PID="210101" /Push /SubPID="210101"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\MobileEmuMaster\update.exe
    "C:\MobileEmuMaster\update.exe" checkupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:2092
- - C:\MobileEmuMaster\LDSGameHall\LDSGameRun.exe
    "C:\MobileEmuMaster\LDSGameHall\LDSGameRun.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- \??\c:\mobileemumaster\utils\ComputerZ14.exe
  "c:\mobileemumaster\utils\ComputerZ14.exe"
  2⤵
  - Executes dropped EXE
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MobileEmuMaster\360Base.dll

Filesize
881KB

MD5
84beb92b22b17841b326e4df2d31117b

SHA1
ef3a1cb3f64e3a9084f047c777f3ce29e761aa09

SHA256
51f68c7e9e40694ff4cc49d23a2e406b5feba6f0aa9f998bdd8030065c90a9da

SHA512
4d4b29e84daa5e999a35723bddb32019a306fdefec660fc53244385d960e55a94a9855093fc146e3fa0110f8dc6a264ef4c6802386c19175b7464c629f6fe8e9

Download Submit
C:\MobileEmuMaster\360NetUL.dll

Filesize
234KB

MD5
cd03029957ebc78c0ca7a6c02a9ca846

SHA1
0044114b8073781479044f0294701be9611be2ac

SHA256
139fdd92e6ddf1aac0761a68502b374daa32e82039621018511dc491ed9b4048

SHA512
14c641cb9536def0ddc1969d50b97b83a23017c97373e3ad74d3fbf9825ac81f3fdf8169281c8ad4cebd45d9c9ae05f752d553ba4653e620889b274479cb7c32

Download Submit
C:\MobileEmuMaster\ComputerZ.set

Filesize
52B

MD5
9d536f06db8cc1fee4133d7e97375975

SHA1
fe0226a0aa93d765bafe0c20981113d3a81dcc25

SHA256
055eaf27931514fc262a0a5362adb7c8d80ee737dd554cd9344394fa46aba825

SHA512
147117bf79e837c3023fe287142f8d96e520d92121fa59f3fe959b2d087af8401c0a69bfb4871b7ac8abdeab9672236878ebe4e6b710efa3d38fbae4c8a7c95a

Download Submit
C:\MobileEmuMaster\GameMemoryOpt_x64.dll

Filesize
848KB

MD5
adfc0da3fe579df12c43f2ac66eb0b7d

SHA1
9bf5f696b5dc39fa491b59c899bcdaac30844ff3

SHA256
3bb054b6b71f629d9952c635eb9d7efac4765ff2f28eb8503ae8ba69edc132c2

SHA512
8724efd9e8f0a3c4c939cb85093e5d109690c26c85c80c9ff4e1e167f16600e6c380a968a22f7525a75b88a71f22b661ca61ec62eaec2470f965d891cede438c

Download Submit
C:\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
C:\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
C:\MobileEmuMaster\LDSGamePlayerPK\LudashiEmulator.dll

Filesize
561KB

MD5
6926afa7a9d784a482293330b115d72f

SHA1
be993aef2e0e10e17c76cb0881765425168a8275

SHA256
1f697286be87b72ffaa68310400197d26a7ceedc13a4c65cef153a98123853ae

SHA512
e4786a1a21e1222c86cb55769c511a9b79c05f5bd4c7459386a84691d7f50575109b9fd72b4dba8d5f16a97078abefa0a7d674f12e35e69d67428ab5a78ac06b

Download Submit
C:\MobileEmuMaster\Plugin\ShellExt_x64.dll

Filesize
393KB

MD5
0d83f9c3fd4686065c2b043cafc6cbef

SHA1
21d1d93bd079269d5b80685caac952d097fead21

SHA256
653aba53aa7825b89065daccf985fce3e7386d5891f1ace71e79f2cd326c4ed8

SHA512
271cfecb7badd32b968d2d3535edca6ab08ce37e863371c079d34f8f5c0cea2f3b668ae42aa10343ca3878ce402481c20427c002261a0d0d21da56b51c978c17

Download Submit
C:\MobileEmuMaster\Utils\ArCtrl.dll

Filesize
447KB

MD5
68ab43ec86d02a6ea3a82f8abcb3144b

SHA1
48f3dbee1d445bae77d713124dd573d9481cf68a

SHA256
92f31d38813bca69cfe1b83205cc1e87a8131cf293a41200f66b01b28d269ee1

SHA512
bdf5deab1b2987deba6f137e4b28d9bd1e2525bd297011ef23dfbf96290695fecf6881d04a6e4eb736100e5c30c555615844d878279a728f4b7dc18aa8f29b4a

Download Submit
C:\MobileEmuMaster\Utils\CefHelper.dll

Filesize
315KB

MD5
64f0649773f42780ff046387839ace1a

SHA1
9ae24c6c768b8ada9668e2425ee313dc9fbbce92

SHA256
3d6dba53530134f65513b005e55d7893099693f28be84eb12d14616689d3a453

SHA512
0d8c4e7fba3969f11dabd26c7ea32e5021889141dc3f5725362b4c8a260faf16becded7491224dc0ae11214ed63a36c736cf2535cfcbe448944372e00178ee18

Download Submit
C:\MobileEmuMaster\Utils\CheckHp.dll

Filesize
428KB

MD5
f0a993d2968a944f41ea28e20bbfd78d

SHA1
ffcf5c4a79d1f5f290ab3e72d5082fc462b46e38

SHA256
01847fb5a6823dbc6e332477e3132e82897c503a5e0908baf035ed189c8bba29

SHA512
48b4248674c92f5494f9d1a4a71919b5b1894d03767e73e8f4dc00e5f996f9b2b3a31349d7ac085509a0a56ac3205bd2aae933945ffd360a7f05bc76c6e893c6

Download Submit
C:\MobileEmuMaster\Utils\ComputerZ12.dll

Filesize
670KB

MD5
e9729af55f9ef5ae35e2abb46e943180

SHA1
4ae5dc8b8680de5a60787119d25c3f8c81baf981

SHA256
28535efe0e4524ea4ad3a554725346a00b02be3e56a0ae3cd354893190c7b61e

SHA512
0aca33040f71019c7debebd043f26d54ee5baf314a5c5680c20d71dc90855878a7082354b0d91c3b435cc45eb3890693c3ce674cd0542c5f215139be62dd1df9

Download Submit
C:\MobileEmuMaster\Utils\ComputerZ12_x64.dll

Filesize
862KB

MD5
60b437fbddcf701bc4e5a0c842d735d0

SHA1
be144d850bebecb12025a97712acf75fac1aba85

SHA256
e76bb1bf8285b577444c0f159b04facd2417ee0d24c480b4561d4bb5d906d590

SHA512
293b48f088a12055d107f88dce91090326d1eedbfc1600c050836c524264193a409b80dc5faa99e1f8679a4f48b91647608a06745e7cd1d1b36ab1f0c886d22e

Download Submit
C:\MobileEmuMaster\Utils\GMSettings.dll

Filesize
1.4MB

MD5
8616b89250743647d25e99d88c81e8d1

SHA1
6829e908d548c417cd6ff99e826150880510b69a

SHA256
d08ffb7728079598e330fb67eaed411524e392db917fad5aaa7a8d11c8cd39aa

SHA512
0e8a6d55f71315db59cf237636a6a24de83900e60a60c3aa8f17797f6d09deec75bc0dd87ec25e58a6fd3f49a0553b05240dcdca3c8fa7694e83518fd99adcfb

Download Submit
C:\MobileEmuMaster\Utils\InstExt.dll

Filesize
474KB

MD5
31c6e7f6b8d06eb83bedab3cf2b43850

SHA1
d3add1b9879b42d32f1fa71129ea3889ce3b0089

SHA256
3055b6129d237d32b45e18158cb0b175e586090828724fb51ea6e0ba3f9b7b37

SHA512
1585b6063b2c202030cf67de0d47d66d287ae733371eec4f3c9a2a6492d0c38992e2ead8cc97afe8b888c03adcebe8bc904e8978ce13099597e43106f0372429

Download Submit
C:\MobileEmuMaster\Utils\LDSBasic.dll

Filesize
2.1MB

MD5
c35ab236702291f1a2d090af8ea253d9

SHA1
d7f58f0f5fee6b26564af3c5d7ab6defe5a4608d

SHA256
c4dba892a9a1fb675d06dd615c4fc079e9f4e12a8368e8bd18e37137ed567f35

SHA512
87a3fa1927ad2fad117055411a471be95275a4d4bf99ee3ab522faee70067b239bb77ddd94c4300958607efd4a3fc071df2262754557fca2530e70f2c438a068

Download Submit
C:\MobileEmuMaster\Utils\LdsVolumeCtrl.dll

Filesize
110KB

MD5
5c6a3ba2d7f3df29664130df5295d4aa

SHA1
b54567e68fa036feae52513d672daffe188c793b

SHA256
0bbbcbb1bfd65dbb2fc3c671220bff391992eb381c13a4a7dd36fa2bc8e3e902

SHA512
2203fa85012cf535521f07ea2008766ce15e728d61d8a4ab20507c955229fd73c32f742c9c8f7ee9dce67ef2636ed61b9ef80b72d78a3564055a09059e448a16

Download Submit
C:\MobileEmuMaster\Utils\LoginWnd.dll

Filesize
1.1MB

MD5
e7cece8b5d934114d7cd4a19859fce0b

SHA1
d15bdf1f7b7047ea759771fb9161758c191210b3

SHA256
ba83ffb94206ebbedb8cf9d94319e4d0c11861d9e51fce17453bbc6613d97766

SHA512
46b007b6bb66399e9e750d4795e94704cdf04f341af0761b3cf14dc3ca5a8704eaf5bd85675bd4fec7b8370a16c680649c015cc76839eade7001e288d3df0c52

Download Submit
C:\MobileEmuMaster\Utils\MNQAppMon.dll

Filesize
1.0MB

MD5
316e61ec909b3ff9186046716470f64b

SHA1
aee8cf463d92c9ff38fc0a59b0e96ac60dbd01a9

SHA256
f60f0f47651f0203820f753340f0abebabf4c1b42a22f017b740f87513172bde

SHA512
51785025415f8e5b6fd726209c8c41bf9f246ba9573d55a9363af16d630f698452c3fc26c208f7e7ea26cfff6fc51d3b0a25cbfba697012834f52f61aa952d35

Download Submit
C:\MobileEmuMaster\Utils\MobileEmuHelper.exe

Filesize
878KB

MD5
bb586a127fe99513c5a540cc68ecab4b

SHA1
1f4213f961cd623c9737c3b3e5c1a9afe06982dd

SHA256
bf4c007063dec7f125f28271c151d3d6dec82a1469bf48f7705f51231bf1b1c7

SHA512
ee23d248b7336731e1341b00159961355bc73aae9f6424e37291d66a30d126b7ecbdc5b54f666dec555618aec087cbcf12dd57c9d24b6ab189db5a331852f4ca

Download Submit
C:\MobileEmuMaster\Utils\Pop.dll

Filesize
826KB

MD5
34495d47d62fa20162e33c51ff124bf3

SHA1
ccaff0a24fa0f1fec195112369490ffaf675a475

SHA256
57c6e3c264bdf548e00a9f108fb0acde3e705c9db9dec3a81686cf2d118cb539

SHA512
f121b51688d29443fdf512b7630f72fba90b23556a92a4f5fc3ff603722ace6874fd1f545335c94edb9a3e0408cee913d0f11f5473b5b8592c6ac41d6a797a56

Download Submit
C:\MobileEmuMaster\Utils\PopEx.dll

Filesize
461KB

MD5
8b1f289eacf5645dfb905b32b66e7999

SHA1
97a34f0ad5f8a096f18e27a7e0577e0964bb5e6b

SHA256
d5a6c04af66430ed1da3fb65b7e2d4469c4a28d063826579e8ca40516121d2b1

SHA512
2d6ab422453dcbbb4fa60f0da9ae62c99684564459d3ad4590349e44d927961d56f68dcb014971c98ece38380a530d0825824afbd666df0f9fc381e26f4ba97f

Download Submit
C:\MobileEmuMaster\Utils\ProductInfo.dat

Filesize
90KB

MD5
4c2e57c47493428094576f2e1ab2333f

SHA1
0a0253d20746c6d21a7ec4907abfcfdb63dc389a

SHA256
2df2a08c227dfdfd6a51083ce3d6183600b86ce3972173cd86adecc92f5afd0c

SHA512
180eb372e40930f7e2f06eb2f024fedf828b282a08e76e01f22ce48fac575c3f72398b487cdef8050f325ec99def5306f860c92bbfb3a1437e8851cbfa7d3f52

Download Submit
C:\MobileEmuMaster\Utils\SpSvc.dll

Filesize
543KB

MD5
fe9719ed7ed5f3038e682a9e8349507f

SHA1
d27d0f323483fab288a81757fedfb05de8ac3cf4

SHA256
3f014ddca4a013c48302e92de2273787989d08015cfae6ffbbb68dffba4e0ec8

SHA512
b38f4ac3b5418fb83d77fe7333ea6d4ca47c57aeca5b5bc696b4cc04d49bfd6f9e947e3cfe4df33af7cb33cab9557556c3c3ed87d7dc6826c0b671f507c043ad

Download Submit
C:\MobileEmuMaster\Utils\UserCenter.dll

Filesize
267KB

MD5
b67b6dbe72d7aa2c820195424acdf099

SHA1
dbba69652926444aa6e012148a88d5f76d052cef

SHA256
8b976dfe5fe6561285d908c9b562227074eae2553da3c1d0bf413e5e9eef04e2

SHA512
11b7808eb45247cd562e6a1082549736759b84c8c3507579a0459ede58bb0ba24e16bb9b6c4cf37816a4781d482a5e5d05868132274948a0d54b51de122592a2

Download Submit
C:\MobileEmuMaster\Utils\WebView.dll

Filesize
1.3MB

MD5
3a6df12e5a6fdc46d22222df9d70431a

SHA1
0b4c234cbdd9f17e2152a81aae568ffeaaa19646

SHA256
4d310d4fd453ca5538ca72f2898126fea7a25ea00a33285536eb9e0a439620bd

SHA512
18532ca0a98cee7d1398e3a1952e80b2b02e9e6fcba35697c9e1f953241fd9799cf79515645cd937c7d03d36c8c329ab2dca9efd5fb24cbd5abbbb2bb876aed0

Download Submit
C:\MobileEmuMaster\Utils\WndPlugin.dll

Filesize
1.3MB

MD5
fa7ce04df823adec443d0838dc83c1d1

SHA1
922d33dfbbe91ca53b8c0745340ad82dd30fd1a1

SHA256
e48e55166cd00994cf8e5cd1be3d0941a93770d6c219d9673ed678b57ab5da92

SHA512
d19995647f14b2bb961a6084100d1c887eefc2849c8b44f4a408defb8d0b89e479324e12396853672f7e3face80dd51b8c23f2e48d9c2ede838e947c50427a7a

Download Submit
C:\MobileEmuMaster\Utils\down7z.dll

Filesize
971KB

MD5
072c1a273948a92893ed7fc68eb7827b

SHA1
7c20216ca5f105d15dd5a104f8d8a8252a2cc02f

SHA256
fe39c6f5462f0cb8b6ce6c56d16b694cfafef977566e835a8625f413dacf74ff

SHA512
58ceddf7ff04bb1dea33e862f8d5d0f4c0b0f11ac10eade4de5f4c93afbdae840e654dba4b0edf67fe95268df777941e6ba9aa8a6d14ccabb0d83307db7833aa

Download Submit
C:\MobileEmuMaster\Utils\netul.dll

Filesize
1.9MB

MD5
d8b0dd8a7b046b8a0584a48d03658214

SHA1
8b04bd4568dc38be26eb94c8eadea830db87b0c5

SHA256
3c4b4b34a093c6e261e7189b02691627b4bfc4a479fdf09b8c4814f1f49af550

SHA512
82cde319f934f76ce46a31b44fa94db8810d6a203c5d08c9a791011ceb783d7c10ec1b1a7bee89822a748edc92551fb41fcb1d7a1f513932552bd4184822075e

Download Submit
C:\MobileEmuMaster\Utils\netul64.dll

Filesize
2.3MB

MD5
ce75bd2c1e3770f3cd1d2089e3ac2b42

SHA1
c275522fa544fed25778ca25f92bcdf4f39a4259

SHA256
3d4adf447f8a82b179992c21978337fcadc47db9e5253adb8a3504c8d6582036

SHA512
26f30277bc94c0ece4bd76e24cc056606ab783fbd464f06c21e0ce5b8fb2c04d7b60dc29b4e72d0406b06eedc546aad648cdbaa9c377850a2cd4dc5d7e1ed218

Download Submit
C:\MobileEmuMaster\Utils\pgstation.dll

Filesize
14.0MB

MD5
dea322691d9d605ee6d544b287612b48

SHA1
704365c51ba313c57c4f565e031b881fe22282de

SHA256
9a186a67554e59e8ace3fc58a3d3b05ef91f0f83dacff48a349260cf001a7213

SHA512
2a607fbb43a1c9b44fcfd5731ee111ff0dffb14fdfe03629cd981ba262f344feed0f61561c20180133ac8f22a2c54fc63b5c449146241c5804eee3d52c3254aa

Download Submit
C:\MobileEmuMaster\Utils\product_helper.dll

Filesize
728KB

MD5
5e6fa10455a33ecffbd2a9487c91424b

SHA1
8424351101fed9b290ab52fe9b8af896cb4885d5

SHA256
7ca0c97a500d82494070865ca478b2e99a8bd3c02a4e27b101d1f2ca61229de7

SHA512
1d5a15fafc3ee273c8d04ab2f39fc6b389f1445a1e356c87616b0ed9a8bd2f55449816155694a92333876dfbb48074617a747087aec3fbf85ac166aa37cff48e

Download Submit
C:\MobileEmuMaster\Utils\product_helper_x64.dll

Filesize
839KB

MD5
551e02af61cd1324f18ad0951f87eba7

SHA1
8a33d2332f345bb29b7409b7173f590473cc1f2a

SHA256
affe4376e85fb36d30c31ee3cecb5dbd82e97d87d1fd04aff2b35789055189f3

SHA512
e686f1883ebc1ea02a086e916ea315b4404c931e7b854bb31cf38d87a3ad51f840bd6ea0d0fed4489d33e6e9396f345285a76f3f235f94ad2bb3b1ef115e7268

Download Submit
C:\MobileEmuMaster\gamemaster_setup.log

Filesize
2KB

MD5
fe4f6df1f8e15bfe4f85d1a967c8866c

SHA1
89754e8dfc015a38d0450c44d66fe749424ddde8

SHA256
865e30f4554782c3912ac528689a024abb9e3a2a4bd525f62e1fa0a186e81eb9

SHA512
4f9baa9c85b1a924c97494356d468972336037e14837d30e63c5bb3aeb7a6ea27e7cb22de0cbfa1581834350345e33580ac8cc3cf93da5402da0a60a642d6162

Download Submit
C:\MobileEmuMaster\gamemaster_setup.log

Filesize
3KB

MD5
2262f105e8094b1f2cd53926c594c256

SHA1
7fc14cd35b02d088e900cfe996247028a1f35fe0

SHA256
0ca7c86a9fe903b3d944f8ded9172d44af1e901680fbc945e97d6aa4fbdc31ea

SHA512
592bba5a8b4faf8c822e3baf81774fd23288bb73dfbbd4955cc75abcba244c37afc8a78de28c34bd6e61261770a067121621381c776cb3b73d60b4177fe79ecd

Download Submit
C:\MobileEmuMaster\gamemaster_setup.log

Filesize
4KB

MD5
e01f6cd0997df7eb87556f44caa3f5e7

SHA1
1f1083c93cdfc82688a32f64649f4c40738c338e

SHA256
14cb66b4820c0b6586e80bb5dca64f9fd380939b7a9e4bbc301280d6433f8907

SHA512
1f44e7bcd90adca580d162e8be4a19d0089aba9dea1d7e4bdd39013bb2bbad170d71742c1904ed51d2d24ed574f2cf50be29bee2aeed2c0a4789e61be4e67aba

Download Submit
C:\MobileEmuMaster\updatecfg.ini

Filesize
2KB

MD5
9b592ae3c40b5f8f714404167fbd91f8

SHA1
b2dc3e7e08b0c3a09ca349264d79b0ab6f16bb2b

SHA256
32418be059f7fca106b3dc6db72c668e8c1cfff6602581ce2671aba115b72070

SHA512
480de55b6a4aeded4e78177acdbbdba9b82e99b1beeee4663f9d4150add3f3d29378e4e84a05692d9fba9195c5d9a0d17e8dc2166932ad55cff766919d872d0e

Download Submit
C:\ProgramData\{AD13A369-D8F7-44e4-AEA9-52639A4C0E79}.tmp\360NetUL.dll

Filesize
234KB

MD5
cd03029957ebc78c0ca7a6c02a9ca846

SHA1
0044114b8073781479044f0294701be9611be2ac

SHA256
139fdd92e6ddf1aac0761a68502b374daa32e82039621018511dc491ed9b4048

SHA512
14c641cb9536def0ddc1969d50b97b83a23017c97373e3ad74d3fbf9825ac81f3fdf8169281c8ad4cebd45d9c9ae05f752d553ba4653e620889b274479cb7c32

Download Submit
C:\ProgramData\{AD13A369-D8F7-44e4-AEA9-52639A4C0E79}.tmp\Utils\LDSBasic.dll

Filesize
2.1MB

MD5
c35ab236702291f1a2d090af8ea253d9

SHA1
d7f58f0f5fee6b26564af3c5d7ab6defe5a4608d

SHA256
c4dba892a9a1fb675d06dd615c4fc079e9f4e12a8368e8bd18e37137ed567f35

SHA512
87a3fa1927ad2fad117055411a471be95275a4d4bf99ee3ab522faee70067b239bb77ddd94c4300958607efd4a3fc071df2262754557fca2530e70f2c438a068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
a8169aead1d428486f6123a5ec7879cf

SHA1
f6fb9b1c1b517a20d473cc4b3532873a537326c4

SHA256
4ecd4749158750200daaaf69c50c166e0521417d69409e2015ec76caf6d6df49

SHA512
e443e5f735083899cf7e65e1fdf4a708b2bfa4b632d099f5b7590bbd88be81fcd80b225ecfb558df67a31b5d3ec427671f4166023d6f1a240655e0a16ba83c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
bb65708e390b47613b25ef3807506dfb

SHA1
a19e7bf4d3b5201a2f96ab4cb1d280fafc922e1b

SHA256
15adeca07049191e7250af737e9a2a068dccbbb1e5e7e2b236c4bf2fa4b8343d

SHA512
efa4564e9e06147224cad72aac46156b4fd1969d085d3d66dc235a56d9eac69239e28b3f19fecdc6e6cc74e033fd3c11779482ecbe8ccd72100384acd36b6754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
19a722012af73f53cdff7d2b1c715b55

SHA1
af9a7eea2b728e3773ca00629cc963d368e4b667

SHA256
1465b6208b5286cc818a10760d5f2f4c30e786b6608e861b74561739fecc3898

SHA512
df94f52b35f8c28231f95fb261908ff2079f070536da8277e648187c44809d6975fc59c899390ae1d617237f52845dc6ea6b543dd649316e47fbc47da20da045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
465f9508cbef49a9423c6ba85d9c304f

SHA1
9710f831b5d9301e04a6cfb0baed1f0681777f4e

SHA256
16444d600d5c451fc0ab36d0bdf7f9c8998d775f3db4564d52865ac003fafcd9

SHA512
27c94db057027fd87a99fe6ac46f99ff220c1875baf5d23e6a5fff18a47b82a8a1d6e862a15aa2510dece85ff0f4a62be0f6a7626f4dc2f836e4ae5bd113d9e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9e61293cae499e7f126f8b6d4ec19f92

SHA1
be8d9f679a4b1fd5648913b029e603856164d708

SHA256
04e793975c06e010b3113551e5fe55cc37358adcbe7e0344adf5e3f1dfa210f0

SHA512
2388459b258732284fa4ae7447b703f970f94e9e5e019eaea98e3d04ce5a65538381fd84100d4b093ebd8793e199e2c915a39b90249260ad258836cf4f5c6192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2a7252bf8075b1dd33625b6ef6d16697

SHA1
283d31096f67477b8ef172fd195237be51ce2076

SHA256
f76f2eab47c7d29b3f7fad03be0c0e7d50bcb8b2cb4b1a249ea20dc08aa03263

SHA512
cea0e1165b0e9b0c27a56238c52fd3ac4beb5d1fa17ab374c6250b1eb83b3e216c2c961d48505328a654340424bf1300efd59a85b0a0655423c3fa41cbcfcf89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04G0TJCH\mgame[1].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ee17ba6307f5c50de9d559a5e2b272fb

SHA1
9ff6cb926d003d52956895ecf0bb936620af3342

SHA256
b1f33e2f46801fb19ebedc0dbc4e67a21f058032b22ca6ba14f7ffa5e5dfea0c

SHA512
f0d70dfd728ecf8e2f516323731302a749b7af634e738917070be3019f5b023e743fa5fa857d100d0f6b3687c0c8de80b844bbae981ff28cf1e0665ecbc900f2

Download Submit
C:\Windows\Temp\TarDB18.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\??\c:\mobileemumaster\NetBridge.dll

Filesize
238KB

MD5
8786d469338c30e0ba9fedfc62bd5197

SHA1
5fb12028ceae9772f938e1b98b699f0e02e32718

SHA256
beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f

SHA512
5db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c

Download Submit
\MobileEmuMaster\360Base.dll

Filesize
881KB

MD5
84beb92b22b17841b326e4df2d31117b

SHA1
ef3a1cb3f64e3a9084f047c777f3ce29e761aa09

SHA256
51f68c7e9e40694ff4cc49d23a2e406b5feba6f0aa9f998bdd8030065c90a9da

SHA512
4d4b29e84daa5e999a35723bddb32019a306fdefec660fc53244385d960e55a94a9855093fc146e3fa0110f8dc6a264ef4c6802386c19175b7464c629f6fe8e9

Download Submit
\MobileEmuMaster\360Base64.dll

Filesize
1.1MB

MD5
78daff414cb587699bed6980cebbf8a5

SHA1
eafca98f4b33643162eec9b2d6e1f558e3bad06a

SHA256
d972d608bc83e3642a8236f8f482d60dcf3138bbed55ef86fd228ee96aa9cb9e

SHA512
0f60f11d6ddbc8e38079093cf0889b6fd8cb9c2fb598fc83d838776771ce4c78c908c00f8980c14b8eb8ffdb6ecae9561db1291ea5cb68bfe8be9c2f1493b32a

Download Submit
\MobileEmuMaster\360NetUL.dll

Filesize
234KB

MD5
cd03029957ebc78c0ca7a6c02a9ca846

SHA1
0044114b8073781479044f0294701be9611be2ac

SHA256
139fdd92e6ddf1aac0761a68502b374daa32e82039621018511dc491ed9b4048

SHA512
14c641cb9536def0ddc1969d50b97b83a23017c97373e3ad74d3fbf9825ac81f3fdf8169281c8ad4cebd45d9c9ae05f752d553ba4653e620889b274479cb7c32

Download Submit
\MobileEmuMaster\GameMemoryOpt_x64.dll

Filesize
848KB

MD5
adfc0da3fe579df12c43f2ac66eb0b7d

SHA1
9bf5f696b5dc39fa491b59c899bcdaac30844ff3

SHA256
3bb054b6b71f629d9952c635eb9d7efac4765ff2f28eb8503ae8ba69edc132c2

SHA512
8724efd9e8f0a3c4c939cb85093e5d109690c26c85c80c9ff4e1e167f16600e6c380a968a22f7525a75b88a71f22b661ca61ec62eaec2470f965d891cede438c

Download Submit
\MobileEmuMaster\GameMemoryOpt_x64.dll

Filesize
848KB

MD5
adfc0da3fe579df12c43f2ac66eb0b7d

SHA1
9bf5f696b5dc39fa491b59c899bcdaac30844ff3

SHA256
3bb054b6b71f629d9952c635eb9d7efac4765ff2f28eb8503ae8ba69edc132c2

SHA512
8724efd9e8f0a3c4c939cb85093e5d109690c26c85c80c9ff4e1e167f16600e6c380a968a22f7525a75b88a71f22b661ca61ec62eaec2470f965d891cede438c

Download Submit
\MobileEmuMaster\GameMemoryOpt_x64.dll

Filesize
848KB

MD5
adfc0da3fe579df12c43f2ac66eb0b7d

SHA1
9bf5f696b5dc39fa491b59c899bcdaac30844ff3

SHA256
3bb054b6b71f629d9952c635eb9d7efac4765ff2f28eb8503ae8ba69edc132c2

SHA512
8724efd9e8f0a3c4c939cb85093e5d109690c26c85c80c9ff4e1e167f16600e6c380a968a22f7525a75b88a71f22b661ca61ec62eaec2470f965d891cede438c

Download Submit
\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
\MobileEmuMaster\LDSGameHall\LDSGameHall.exe

Filesize
6.2MB

MD5
b63f3cb5cb9533edb75b8c2976870c0d

SHA1
23831b1f837fb51083e00331f5fe8b34c24039df

SHA256
1514fc041f55d0a595dc9b607c1b6b6e9daa4a6af85e9e2e6e0a18ea708498a7

SHA512
18a15ac2730c74d1872ee76d027843af04979d99604680f6f50ce320c4039520d40942a6cdea63d37246df294b63ce51a0874381a2458e041c5192dd095e27c5

Download Submit
\MobileEmuMaster\LDSGamePlayerPK\LudashiEmulator.dll

Filesize
561KB

MD5
6926afa7a9d784a482293330b115d72f

SHA1
be993aef2e0e10e17c76cb0881765425168a8275

SHA256
1f697286be87b72ffaa68310400197d26a7ceedc13a4c65cef153a98123853ae

SHA512
e4786a1a21e1222c86cb55769c511a9b79c05f5bd4c7459386a84691d7f50575109b9fd72b4dba8d5f16a97078abefa0a7d674f12e35e69d67428ab5a78ac06b

Download Submit
\MobileEmuMaster\LDSGameVer.dll

Filesize
9KB

MD5
985ca3b7263f73be66446a27a166f654

SHA1
14dff97b67ddf5327ebd006d0cbd0ac6333c32de

SHA256
acf0457cf07a5d103f76e843c0ef12086a39c69806caf75860407a371b24f9ad

SHA512
08f513e52dd0a333b89950a7298d860e14d9792dd805b1276455150af64b73a9065f7ab6ecfa98b48a1c34a444a9b99f53c0f69fa9419d90808b6b647c533c51

Download Submit
\MobileEmuMaster\LDSGameVer.dll

Filesize
9KB

MD5
985ca3b7263f73be66446a27a166f654

SHA1
14dff97b67ddf5327ebd006d0cbd0ac6333c32de

SHA256
acf0457cf07a5d103f76e843c0ef12086a39c69806caf75860407a371b24f9ad

SHA512
08f513e52dd0a333b89950a7298d860e14d9792dd805b1276455150af64b73a9065f7ab6ecfa98b48a1c34a444a9b99f53c0f69fa9419d90808b6b647c533c51

Download Submit
\MobileEmuMaster\Plugin\ShellExt_x64.dll

Filesize
393KB

MD5
0d83f9c3fd4686065c2b043cafc6cbef

SHA1
21d1d93bd079269d5b80685caac952d097fead21

SHA256
653aba53aa7825b89065daccf985fce3e7386d5891f1ace71e79f2cd326c4ed8

SHA512
271cfecb7badd32b968d2d3535edca6ab08ce37e863371c079d34f8f5c0cea2f3b668ae42aa10343ca3878ce402481c20427c002261a0d0d21da56b51c978c17

Download Submit
\MobileEmuMaster\Plugin\ShellExt_x64.dll

Filesize
393KB

MD5
0d83f9c3fd4686065c2b043cafc6cbef

SHA1
21d1d93bd079269d5b80685caac952d097fead21

SHA256
653aba53aa7825b89065daccf985fce3e7386d5891f1ace71e79f2cd326c4ed8

SHA512
271cfecb7badd32b968d2d3535edca6ab08ce37e863371c079d34f8f5c0cea2f3b668ae42aa10343ca3878ce402481c20427c002261a0d0d21da56b51c978c17

Download Submit
\MobileEmuMaster\Utils\ArCtrl.dll

Filesize
447KB

MD5
68ab43ec86d02a6ea3a82f8abcb3144b

SHA1
48f3dbee1d445bae77d713124dd573d9481cf68a

SHA256
92f31d38813bca69cfe1b83205cc1e87a8131cf293a41200f66b01b28d269ee1

SHA512
bdf5deab1b2987deba6f137e4b28d9bd1e2525bd297011ef23dfbf96290695fecf6881d04a6e4eb736100e5c30c555615844d878279a728f4b7dc18aa8f29b4a

Download Submit
\MobileEmuMaster\Utils\CheckHp.dll

Filesize
428KB

MD5
f0a993d2968a944f41ea28e20bbfd78d

SHA1
ffcf5c4a79d1f5f290ab3e72d5082fc462b46e38

SHA256
01847fb5a6823dbc6e332477e3132e82897c503a5e0908baf035ed189c8bba29

SHA512
48b4248674c92f5494f9d1a4a71919b5b1894d03767e73e8f4dc00e5f996f9b2b3a31349d7ac085509a0a56ac3205bd2aae933945ffd360a7f05bc76c6e893c6

Download Submit
\MobileEmuMaster\Utils\ComputerZ12_x64.dll

Filesize
862KB

MD5
60b437fbddcf701bc4e5a0c842d735d0

SHA1
be144d850bebecb12025a97712acf75fac1aba85

SHA256
e76bb1bf8285b577444c0f159b04facd2417ee0d24c480b4561d4bb5d906d590

SHA512
293b48f088a12055d107f88dce91090326d1eedbfc1600c050836c524264193a409b80dc5faa99e1f8679a4f48b91647608a06745e7cd1d1b36ab1f0c886d22e

Download Submit
\MobileEmuMaster\Utils\InstExt.dll

Filesize
474KB

MD5
31c6e7f6b8d06eb83bedab3cf2b43850

SHA1
d3add1b9879b42d32f1fa71129ea3889ce3b0089

SHA256
3055b6129d237d32b45e18158cb0b175e586090828724fb51ea6e0ba3f9b7b37

SHA512
1585b6063b2c202030cf67de0d47d66d287ae733371eec4f3c9a2a6492d0c38992e2ead8cc97afe8b888c03adcebe8bc904e8978ce13099597e43106f0372429

Download Submit
\MobileEmuMaster\Utils\MobileEmuHelper.exe

Filesize
878KB

MD5
bb586a127fe99513c5a540cc68ecab4b

SHA1
1f4213f961cd623c9737c3b3e5c1a9afe06982dd

SHA256
bf4c007063dec7f125f28271c151d3d6dec82a1469bf48f7705f51231bf1b1c7

SHA512
ee23d248b7336731e1341b00159961355bc73aae9f6424e37291d66a30d126b7ecbdc5b54f666dec555618aec087cbcf12dd57c9d24b6ab189db5a331852f4ca

Download Submit
\MobileEmuMaster\Utils\SpSvc.dll

Filesize
543KB

MD5
fe9719ed7ed5f3038e682a9e8349507f

SHA1
d27d0f323483fab288a81757fedfb05de8ac3cf4

SHA256
3f014ddca4a013c48302e92de2273787989d08015cfae6ffbbb68dffba4e0ec8

SHA512
b38f4ac3b5418fb83d77fe7333ea6d4ca47c57aeca5b5bc696b4cc04d49bfd6f9e947e3cfe4df33af7cb33cab9557556c3c3ed87d7dc6826c0b671f507c043ad

Download Submit
\MobileEmuMaster\Utils\SpSvc.dll

Filesize
543KB

MD5
fe9719ed7ed5f3038e682a9e8349507f

SHA1
d27d0f323483fab288a81757fedfb05de8ac3cf4

SHA256
3f014ddca4a013c48302e92de2273787989d08015cfae6ffbbb68dffba4e0ec8

SHA512
b38f4ac3b5418fb83d77fe7333ea6d4ca47c57aeca5b5bc696b4cc04d49bfd6f9e947e3cfe4df33af7cb33cab9557556c3c3ed87d7dc6826c0b671f507c043ad

Download Submit
\MobileEmuMaster\Utils\product_helper.dll

Filesize
728KB

MD5
5e6fa10455a33ecffbd2a9487c91424b

SHA1
8424351101fed9b290ab52fe9b8af896cb4885d5

SHA256
7ca0c97a500d82494070865ca478b2e99a8bd3c02a4e27b101d1f2ca61229de7

SHA512
1d5a15fafc3ee273c8d04ab2f39fc6b389f1445a1e356c87616b0ed9a8bd2f55449816155694a92333876dfbb48074617a747087aec3fbf85ac166aa37cff48e

Download Submit
\Users\Admin\AppData\Local\LDSGameMaster\Store\360Base\360NetUL.dll

Filesize
234KB

MD5
cd03029957ebc78c0ca7a6c02a9ca846

SHA1
0044114b8073781479044f0294701be9611be2ac

SHA256
139fdd92e6ddf1aac0761a68502b374daa32e82039621018511dc491ed9b4048

SHA512
14c641cb9536def0ddc1969d50b97b83a23017c97373e3ad74d3fbf9825ac81f3fdf8169281c8ad4cebd45d9c9ae05f752d553ba4653e620889b274479cb7c32

Download Submit
\Users\Admin\AppData\Local\LDSGameMaster\Store\360Base\Utils\LDSBasic.dll

Filesize
2.1MB

MD5
c35ab236702291f1a2d090af8ea253d9

SHA1
d7f58f0f5fee6b26564af3c5d7ab6defe5a4608d

SHA256
c4dba892a9a1fb675d06dd615c4fc079e9f4e12a8368e8bd18e37137ed567f35

SHA512
87a3fa1927ad2fad117055411a471be95275a4d4bf99ee3ab522faee70067b239bb77ddd94c4300958607efd4a3fc071df2262754557fca2530e70f2c438a068

Download Submit
\Users\Admin\AppData\Local\Temp\refineinst.dll

Filesize
37.1MB

MD5
bd2d6fe455dee9667df185000d2dd979

SHA1
a6658afc14b4f92323c5731ab0b003058e82cd25

SHA256
2eb9d3a4d3431076508feaf9f08f79d27e33d0137bcd99828bd34e5434aca2c5

SHA512
315e794afc3727cbe9d6b3d1e16607b52ed95b9bc8b916e1c86bc71febced046cc0014a7c2db7ce2f622fc102d2717f8e2a3eccbd142d2b71d4b81123110de5b

Download Submit
\Users\Admin\AppData\Local\Temp\{A3108838-FEBC-44ec-8D4C-2316515F6903}.tmp\7z.dll

Filesize
1.1MB

MD5
a46135bdd574092d85955070e72d5aad

SHA1
aad137b0a883fea22b7118778512ffc7865513bc

SHA256
aa57160684feb240a85da677caaf7cf6a08b7349d89ae9cb4a3476884d80aac5

SHA512
72188f348d9ae33e2b5a7886c80667cc3015bfac170249537baa9e31abf8d63ca198903206feb64887f1d509a1b9bfc9f54ede8b3aa26bee3f5c4375e5c6a24b

Download Submit
memory/1200-61-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1200-527-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1640-561-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1640-1029-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2160-618-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2160-1030-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2160-1042-0x000000006F6B0000-0x000000006F9DD000-memory.dmp

Filesize
3.2MB

Download
memory/2160-1067-0x000000006F6B0000-0x000000006F9DD000-memory.dmp

Filesize
3.2MB

Download
memory/2160-1073-0x000000006F6B0000-0x000000006F9DD000-memory.dmp

Filesize
3.2MB

Download
memory/2548-1063-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2840-426-0x0000000077920000-0x0000000077930000-memory.dmp

Filesize
64KB

Download
memory/2840-453-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2840-428-0x0000000077920000-0x0000000077930000-memory.dmp

Filesize
64KB

Download