16f7d9d609c24c5af75c0141059d49008eb9b1f016d198e224bdb486668cc7b5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
Size

3.3MB
MD5

e23d97827ea3c90cd85f2d11402e8940
SHA1

67c01979b3516f9c3082cc05367142a74e413be8
SHA256

16f7d9d609c24c5af75c0141059d49008eb9b1f016d198e224bdb486668cc7b5
SHA512

e9dfd9ebf77aa615b17c05f99a5efed0c5dc993b7ca59800aa7ffa45d0d7fe4e207d0e4386c4fd9b11ceb49b5a4d28b4014ab9d6327ed86a8321cd9f3e90f646
SSDEEP

98304:EyasyD6Lvd557Vh2EKTlpFGuKIKRv6owpuC:XyOT57V7jFiowgC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
4888	sysinfo-app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
1788	powershell.exe
1788	powershell.exe
4532	powershell.exe
4532	powershell.exe
4844	powershell.exe
4844	powershell.exe
5020	powershell.exe
5020	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
5024	powershell.exe
5024	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeIncreaseQuotaPrivilege	1788	powershell.exe
Token: SeSecurityPrivilege	1788	powershell.exe
Token: SeTakeOwnershipPrivilege	1788	powershell.exe
Token: SeLoadDriverPrivilege	1788	powershell.exe
Token: SeSystemProfilePrivilege	1788	powershell.exe
Token: SeSystemtimePrivilege	1788	powershell.exe
Token: SeProfSingleProcessPrivilege	1788	powershell.exe
Token: SeIncBasePriorityPrivilege	1788	powershell.exe
Token: SeCreatePagefilePrivilege	1788	powershell.exe
Token: SeBackupPrivilege	1788	powershell.exe
Token: SeRestorePrivilege	1788	powershell.exe
Token: SeShutdownPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeSystemEnvironmentPrivilege	1788	powershell.exe
Token: SeRemoteShutdownPrivilege	1788	powershell.exe
Token: SeUndockPrivilege	1788	powershell.exe
Token: SeManageVolumePrivilege	1788	powershell.exe
Token: 33	1788	powershell.exe
Token: 34	1788	powershell.exe
Token: 35	1788	powershell.exe
Token: 36	1788	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	powershell.exe
Token: SeSecurityPrivilege	4532	powershell.exe
Token: SeTakeOwnershipPrivilege	4532	powershell.exe
Token: SeLoadDriverPrivilege	4532	powershell.exe
Token: SeSystemProfilePrivilege	4532	powershell.exe
Token: SeSystemtimePrivilege	4532	powershell.exe
Token: SeProfSingleProcessPrivilege	4532	powershell.exe
Token: SeIncBasePriorityPrivilege	4532	powershell.exe
Token: SeCreatePagefilePrivilege	4532	powershell.exe
Token: SeBackupPrivilege	4532	powershell.exe
Token: SeRestorePrivilege	4532	powershell.exe
Token: SeShutdownPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeSystemEnvironmentPrivilege	4532	powershell.exe
Token: SeRemoteShutdownPrivilege	4532	powershell.exe
Token: SeUndockPrivilege	4532	powershell.exe
Token: SeManageVolumePrivilege	4532	powershell.exe
Token: 33	4532	powershell.exe
Token: 34	4532	powershell.exe
Token: 35	4532	powershell.exe
Token: 36	4532	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeIncreaseQuotaPrivilege	4844	powershell.exe
Token: SeSecurityPrivilege	4844	powershell.exe
Token: SeTakeOwnershipPrivilege	4844	powershell.exe
Token: SeLoadDriverPrivilege	4844	powershell.exe
Token: SeSystemProfilePrivilege	4844	powershell.exe
Token: SeSystemtimePrivilege	4844	powershell.exe
Token: SeProfSingleProcessPrivilege	4844	powershell.exe
Token: SeIncBasePriorityPrivilege	4844	powershell.exe
Token: SeCreatePagefilePrivilege	4844	powershell.exe
Token: SeBackupPrivilege	4844	powershell.exe
Token: SeRestorePrivilege	4844	powershell.exe
Token: SeShutdownPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeSystemEnvironmentPrivilege	4844	powershell.exe
Token: SeRemoteShutdownPrivilege	4844	powershell.exe
Token: SeUndockPrivilege	4844	powershell.exe
Token: SeManageVolumePrivilege	4844	powershell.exe
Token: 33	4844	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4888	sysinfo-app.exe
3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3160	4572	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	86
PID 4572 wrote to memory of 3160	4572	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	86
PID 3160 wrote to memory of 1788	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	88
PID 3160 wrote to memory of 1788	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	88
PID 3160 wrote to memory of 4532	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	91
PID 3160 wrote to memory of 4532	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	91
PID 3160 wrote to memory of 4844	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	93
PID 3160 wrote to memory of 4844	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	93
PID 3160 wrote to memory of 4344	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	95
PID 3160 wrote to memory of 4344	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	95
PID 4344 wrote to memory of 4888	4344	cmd.exe	97
PID 4344 wrote to memory of 4888	4344	cmd.exe	97
PID 3160 wrote to memory of 5020	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	101
PID 3160 wrote to memory of 5020	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	101
PID 3160 wrote to memory of 1656	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	103
PID 3160 wrote to memory of 1656	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	103
PID 3160 wrote to memory of 5024	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	105
PID 3160 wrote to memory of 5024	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	105
PID 3160 wrote to memory of 4668	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	107
PID 3160 wrote to memory of 4668	3160	Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe	107

C:\Users\Admin\AppData\Local\Temp\Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
"C:\Users\Admin\AppData\Local\Temp\Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe
  "C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe" /app "C:\Users\Admin\AppData\Local\MobiGame\\"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\utils\sysinfo-app.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\utils\sysinfo-app.exe
      C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\utils\sysinfo-app.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_OptionalFeature | Where-Object {('HypervisorPlatform','VirtualMachinePlatform','Microsoft-Hyper-V-All','Microsoft-Hyper-V-Hypervisor','Microsoft-Hyper-V-Services') -like $_.Name}).InstallState
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d62a8b4882bcae55db635f5173a97d9

SHA1
c780200e6e77abadbf872d9493d362ad1ff9342a

SHA256
03a9c1ee1610ac667757db120dfb496c1dfe93fb3fe6e25a3805092d19c3349e

SHA512
bf3b4cfec8ecf7010ff261bc5eb5d1ab27be5f4cafd73e9fcf6b65dfb340afb27ff77dd26ddb94f7183cd69ac43281bbb3a4afef34ccc306fdd0ca1950fd61eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f81481f0251165ee8051799d5487156

SHA1
dadc07e6eff95dd6fde0f3fb3eca0a4aa1941434

SHA256
020c968aedf44573c2dc9945010abb1109638dffdd9a627c503321068b79d845

SHA512
c93f39f6f41ad4256c1c6e6fb5afd4a44477372c8459d369ef962b42ddcfb3b7c84ac8b93f128fac8e9e8405c84c62c8891ca05ce97a84a0e6a411fe50371efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
740951544b69d9a5a00aa693bf1e2d73

SHA1
c46fdae6979a08b5e9db05046686f0d1edf38caa

SHA256
dd63d617a9607de67ecf702ea93f02e805d11eafbd2c6e9f705c620b1e685a22

SHA512
e5fbfb1346aa56c358b6970e0caddb424ef416daba7ed3a2014dc18dabd2d0d5ec42f4a10518ca1453e7dc4da1893ee23b0cd18d4e91887637ce5ae9577db398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87bf244d3636652281006be8d281b2ed

SHA1
184fd51664636e60548c4ab016754a4d106d161f

SHA256
4acb531e2884689a40e8963616433675382e830ac570792120ce1b304d80ebce

SHA512
79c7c34856b3dc76960e72e16149a1067cefff23c06982959f2bcb5b89b588694f51b6198d0f4e16acaa2eabdf0c5379e14bf999921320cfe7efa92f889b6692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
926472175b1af33de17f4f6afa3ba767

SHA1
141ecc81f556e6269583e9dc8d9f81f451840582

SHA256
65921cbd5247f6497ed79210740ff078aa680767e5ee466b3f44e846f8b1b0a2

SHA512
2c76e44f328a2c2d876713c68af66648d0c8d7ed3eb7b23fee24796919eed7cfc4c467310291ffe16fe545cdcd29d816037a0db582e98d183567c64d6e3da18d

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\hwid.dat

Filesize
32B

MD5
156542647931f8e946679018f8930937

SHA1
8401f8923fd2c67eb062c87af54f927b767439f4

SHA256
cd84154cb8cc4505b083002904fc849d1dd04c9ad0827328c01ff9317f740869

SHA512
3014b40e02bdb868f8f63cbf2ff46de092dff95336753997a1f8121c6c8b59dfc091d84e858ca32274d1139495751c41338fe0c4f5163fbdec2f6c046bef7fb4

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\installid.dat

Filesize
32B

MD5
1959ab7f0f5e8733574c9945fab96307

SHA1
897900885f0b9f48a9019adf74eef396f926b590

SHA256
84a22ffa879e3ff4672b3abc2f1869eeb378918d8c10a411a5b14c7bbb81717e

SHA512
481a68f1bb6b8c0d2c1da20f2473471226173a5176a77eab71c201b8cc85dcc91461f3cb8656630ee82264caa64c7bdbd4b2047350ead37a0e9cb1859eb58d03

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\logs\downloader.log

Filesize
4KB

MD5
07a3cd877b0dc6b983313ff2c7685de6

SHA1
43dad84d546b3db60017119b8a02bb5ca52d0c94

SHA256
f8c31daa537840815aae072885b50251084645599c9d9ab1b0dafebaf4a87ec0

SHA512
7ab624493c21db82fb1dfa9822b647181f6b95a0e618a013ba006f2c163b58f6fc0a2a24385cb4f799cfd97289a95ff2e03a35356073a83aa6ad6e894baef155

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\logs\downloader.log

Filesize
3KB

MD5
4e960ef40058d49f2cb12e1f51979ccf

SHA1
8de29157a8aa50f68e3c39a6b4d395e4c0ee1d11

SHA256
de95bd43662c24c92eba591614c523fdff52d81c3cc768704ded4f0b0bc6b664

SHA512
c49e6e8fcdbed731f9622ca8613d6f267cd7bae7d49e6b2ac049a14b1ccc00ebcdd1ba4a2f3ccd9ee170b2642b0a5d9e5e5193c510ae64499718ec3b2b3298ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bx5y2vnm.0pj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe

Filesize
1.0MB

MD5
8afdf50f0097e7fc7254c83b2b2bf097

SHA1
771f30d91517ce306e93b548f31bd595139255a8

SHA256
1c96bab3b22b9e52736982b58ff5d75eb22293aa184024ad29c4f722bf1420f3

SHA512
51e70ae50cc46be7670ce73c559ffa11f6cc324a0256b44f394c789b5e7fd78089b934f7a91b06d5ceba55caede217a87296bbdb0ba17e48e59dad8ca33a5e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\Intersection-Controller_se.shadowtree.software.trafficbuilder_gameslolc_27243466.exe.config

Filesize
3KB

MD5
6517457e21bed85a6e41e8b84942c8dc

SHA1
45451a32d6246265c94660030642137ff0ac4629

SHA256
3148b743bb5599ee95ff171d8ed7f66c48979d5993a328f9e9291c1443e0fd28

SHA512
e694240d22e240f3b4ba78a2d0e38b353ce1f5ea348d46e688cb60166cdd91083b5069d1cbc79f94cfbf322edbdeee3511eb9360c2a08c3002d1ca28175451a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\Microsoft.Deployment.WindowsInstaller.dll

Filesize
182KB

MD5
82eb1ccf28f3af897c2db27282b41156

SHA1
9f945d8b18ff0fbb5f013efe5e2ff33aef136104

SHA256
ced6cab3c04c08ce5705af0b6986965dbdbfda17cbd66c973bb371ed3b95f37a

SHA512
9458fabeae4dabf8109b9736496a01d9168312faec1c17d6eed89e8f09cbb8287d74ff758948cf07838720c11005e87a734e920be4ead275354f46a0a6176f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\MobiHelper.exe

Filesize
590KB

MD5
751672b3dc8e48b7632544b57e01a069

SHA1
a497158550201b67a8340756529c8909f13ddb5a

SHA256
acff977962ee68c47b786c28186b43b093ef41ec6ed617ee019f1227e17d8799

SHA512
96e0d9a1f15c55ab69b37ec095dda802a008c37c14a51bce6b5e04ca60d83e09bf9d69be604d0fd5f407471c959fafec0d8477856570fc8862a606a237baa97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\MobiHelper.exe.config

Filesize
1KB

MD5
4c77703bc70d087c272b1b4f8db55c4c

SHA1
3bbf0cc26c0b888aedefbfb077ca1e270d3c45c3

SHA256
dfddd98c2f704875c1b40cd1c81005faf10a442135c2c84b9ebef51f935d4b06

SHA512
bb0052a2c5904e503429017c506f03122c2f4b83d0609c1d40a153848d392303c1ec441338fcb18977e6f310f634abe0bd3ecbee03cd7e468795dd2cb75f8dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\Newtonsoft.Json.dll

Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\ResumeService.exe

Filesize
522KB

MD5
d293db543d714d4b6a959911f04982cc

SHA1
69c6d24cebec0d0f82b2006d9f9f9c3add831263

SHA256
dd31c28d11f79d4dd84c531b68fe52aa8f1076ef585bcf438d8976f8d3baf14d

SHA512
8abcf620c879092fcdc77b16877a9d7b50d9dd7b0e7a89187150bf03c1a7e05021cd30e30315d881ed5e819cb0d85050fdf294fa41bb8006c7cfe582fb68dc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\ResumeService.exe.config

Filesize
3KB

MD5
c0ecf23c7cf4e09c426ff35e83eb34b8

SHA1
6e42205b40fa610e3d3376cc21997745f448ced7

SHA256
61bcc5c65812305576bd37eb7237ac29f04f14cef3ab9b9e7e8f940d5522b393

SHA512
ce8ee53483211cc488df90f396fa33877866cdc862b343625c736cf676be37e95021e465d277aff503f01eee8e5883175ab6a74ba2317285e843f87285f9995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\ServiceStack.Client.dll

Filesize
241KB

MD5
e7eeaacea4bb7ca8625dbc72f9c05177

SHA1
6e540e594d4e7fe1c55f2f9e406d3c0f6d02af9d

SHA256
67f5c0fedec2ca57fc1b3118bd772b987c01b573584c08c4264fc8030f0944f3

SHA512
9b45ab2f9b865da7775405eb05b805073f37590573c50b70644c6e694f2e6effa5c9b0cb15ce30b184f8afa71a382bc4bb9096599ccce8b68e130131da502c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\ServiceStack.Interfaces.dll

Filesize
169KB

MD5
bbaa88e5567a6b9c134f28262c54ca65

SHA1
5d59256abbc0226d4966cfa7f96511453736bb63

SHA256
2e2cf708db9d86b04c62a6273aa326225181fb739f6b950fbe2e1bd4905ecd0b

SHA512
eb714c554123a9405f1beb952e82f79b684995a4f567f3fb9bf934f51496eea0d325c791fddafc2105922ca51f93132db85ee8b555880ac04e0e039636c58779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\ServiceStack.Text.dll

Filesize
540KB

MD5
01e10fdd82dff5e70eff077adc2a4528

SHA1
5bc845e65e732c4bbc246174eb18874140d26772

SHA256
57f75c075376c8977860c3bcb8d7d693289450a08b569159bf7ed1dc1824e1f1

SHA512
fe0f0e8c14d6a8318a1a4320e427375b309e2ab5f05286ecca7d7ce1c3047c75054cce2153233c07bf7a921d43fea3fc5093af928bb7b555de46dfa2adb55366

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\System.Memory.dll

Filesize
140KB

MD5
2bc5de386a4297144781d15b8e812b63

SHA1
ae6b19d49b413f1549b3540a9fbba00c1e8b3d27

SHA256
9c266080fb5f31e02a5005b91657093bd8c1faed23102e021a8be283c1753461

SHA512
e4d43c871af5c03392d2fb139fdf10c2f2da2f1d6fe0edd089e3e30369d6d350727b483c98868626f81d680400b44ee4d328e475b0017bfdeb38cdb44a8b4d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\System.Runtime.CompilerServices.Unsafe.dll

Filesize
23KB

MD5
a5aa80f49ad64689085755ab1ebf086e

SHA1
27e88cf0d2b34ea91efaa5cef9a763ee2722c824

SHA256
a79e1c30e9308afe4d680f0bfb82de3e8c1fe94aeca453ec4092c3ed4789ae6b

SHA512
f3dbd77e3a2ec3915b34d1387388abad45c99459ce03c06dc9a83d04f751b837c7b56cf9b4b7630f7fcd897a1d8057fce4cf761b1dc140a3928431b22b9b5b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\WixSharp.Msi.dll

Filesize
31KB

MD5
346d813cb3b38030edbe2342b21ecb0d

SHA1
578cc0f818bb3c414e5b806fe628a100f2eed63c

SHA256
4a807bec1041e2a900688f17d338a06b952a1a8e76b61f681454302753ab79ee

SHA512
72d6117ba66f1939fcb1f1bd89fe3a7cc5d93ae67ba7ed9927746a388eec4885986915372d5ff92176615f6e73e9ddcdff5e8feb30d2b0c17f8aaaab1e4f744a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\log4net-loggly.dll

Filesize
20KB

MD5
647ef1d7ccf030a09f17a54c5f40bbed

SHA1
08a71074606354e53a5c25aa9b084dfe9bef551f

SHA256
dc7ba0dcf33d3599c6d471cedb604e141d24a9aff9964225b8de1dfbb8a285db

SHA512
16d7dfc6033114c247c252f5463ab874418b609811ef31dd82365482487c6a8dcb2260f9b288fa883d3ba70c8b8836bb9e38d5bc24303db71fdcac8778b769fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\log4net.dll

Filesize
280KB

MD5
7c11f28d40f846515c132c5e358913bb

SHA1
fe7d3cd47352835016ffe5be86185165c4a09f69

SHA256
8cdae744cb81a397c61f9311e1bd089206783b8b173d6e8216005b84662fda1e

SHA512
12acfc71df4e7d24fe0ac9de97d21dcd651480fd0c9e46035cd3a2f3fe1ee6833fc9679cda0b07ffa33bb6ff0a97b6d28f3fa161747990b18cea73c22bf124c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_5C444366\utils\sysinfo-app.exe

Filesize
234KB

MD5
2b30334153d41d8c762207309be73d92

SHA1
a54f5fa79252b1b9968f6e1a44fde7f007a12548

SHA256
9b4eee17b496a35e88b5f1631ba21c2bee262b3c6da0024c18e3d1b7996b3484

SHA512
cc9972e8f8952bef7364b00d269848a918c47bd4fb66cb0fbc97ea7c74dab467ca7fa694c79a3d07cff45869fe9bd6643a3291b4fd83c53c544320470ab78aeb

Download Submit
memory/1656-282-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/1656-283-0x000002B1F7630000-0x000002B1F7640000-memory.dmp

Filesize
64KB

Download
memory/1656-284-0x000002B1F7630000-0x000002B1F7640000-memory.dmp

Filesize
64KB

Download
memory/1656-286-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-77-0x000002861B660000-0x000002861B670000-memory.dmp

Filesize
64KB

Download
memory/1788-79-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-72-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/1788-67-0x000002861B6A0000-0x000002861B6C2000-memory.dmp

Filesize
136KB

Download
memory/1788-73-0x000002861B660000-0x000002861B670000-memory.dmp

Filesize
64KB

Download
memory/1788-74-0x000002861B660000-0x000002861B670000-memory.dmp

Filesize
64KB

Download
memory/1788-76-0x000002861B940000-0x000002861B964000-memory.dmp

Filesize
144KB

Download
memory/1788-75-0x000002861B940000-0x000002861B96A000-memory.dmp

Filesize
168KB

Download
memory/3160-229-0x000001CDE7E40000-0x000001CDE7E48000-memory.dmp

Filesize
32KB

Download
memory/3160-341-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-408-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-407-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-406-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-405-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-200-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/3160-396-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-44-0x000001CDCD7F0000-0x000001CDCD8F6000-memory.dmp

Filesize
1.0MB

Download
memory/3160-349-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-346-0x000001CDEBEB0000-0x000001CDEBEFA000-memory.dmp

Filesize
296KB

Download
memory/3160-209-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-342-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-52-0x000001CDCF5C0000-0x000001CDCF5CC000-memory.dmp

Filesize
48KB

Download
memory/3160-225-0x000001CDE7DB0000-0x000001CDE7DBA000-memory.dmp

Filesize
40KB

Download
memory/3160-47-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/3160-227-0x000001CDE7E30000-0x000001CDE7E38000-memory.dmp

Filesize
32KB

Download
memory/3160-228-0x000001CDE93B0000-0x000001CDE93B8000-memory.dmp

Filesize
32KB

Download
memory/3160-46-0x000001CDE7D00000-0x000001CDE7D4A000-memory.dmp

Filesize
296KB

Download
memory/3160-230-0x000001CDE93C0000-0x000001CDE93C8000-memory.dmp

Filesize
32KB

Download
memory/3160-152-0x000001CDE7DC0000-0x000001CDE7DE6000-memory.dmp

Filesize
152KB

Download
memory/3160-48-0x000001CDE7DF0000-0x000001CDE7E00000-memory.dmp

Filesize
64KB

Download
memory/3160-149-0x000001CDE7E00000-0x000001CDE7E30000-memory.dmp

Filesize
192KB

Download
memory/3160-50-0x000001CDE9010000-0x000001CDE909E000-memory.dmp

Filesize
568KB

Download
memory/3160-147-0x000001CDE93E0000-0x000001CDE9422000-memory.dmp

Filesize
264KB

Download
memory/3160-55-0x000001CDE90A0000-0x000001CDE911A000-memory.dmp

Filesize
488KB

Download
memory/4532-136-0x000002AFF0D60000-0x000002AFF0D70000-memory.dmp

Filesize
64KB

Download
memory/4532-125-0x000002AFF0D60000-0x000002AFF0D70000-memory.dmp

Filesize
64KB

Download
memory/4532-138-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/4532-124-0x000002AFF0D60000-0x000002AFF0D70000-memory.dmp

Filesize
64KB

Download
memory/4532-123-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/4668-384-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/4668-398-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/4668-385-0x000001B4D0AC0000-0x000001B4D0AD0000-memory.dmp

Filesize
64KB

Download
memory/4844-153-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/4844-155-0x000002276B2E0000-0x000002276B2F0000-memory.dmp

Filesize
64KB

Download
memory/4844-166-0x000002276B2E0000-0x000002276B2F0000-memory.dmp

Filesize
64KB

Download
memory/4844-168-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/4844-154-0x000002276B2E0000-0x000002276B2F0000-memory.dmp

Filesize
64KB

Download
memory/5020-210-0x0000022B8EFE0000-0x0000022B8EFF0000-memory.dmp

Filesize
64KB

Download
memory/5020-207-0x0000022B8EFE0000-0x0000022B8EFF0000-memory.dmp

Filesize
64KB

Download
memory/5020-206-0x0000022B8EFE0000-0x0000022B8EFF0000-memory.dmp

Filesize
64KB

Download
memory/5020-205-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/5020-212-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/5024-377-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download
memory/5024-374-0x0000019221050000-0x0000019221060000-memory.dmp

Filesize
64KB

Download
memory/5024-373-0x0000019221050000-0x0000019221060000-memory.dmp

Filesize
64KB

Download
memory/5024-372-0x00007FFA90480000-0x00007FFA90F41000-memory.dmp

Filesize
10.8MB

Download