600caf0bcdd14053ae181c7e5173a73cba7074c9bac5e874a1e75307f420e78d

Resubmissions

06/08/2024, 13:35

240806-qv7dhsvara 3

05/08/2024, 06:30

240805-g9txasyfnr 7

Analysis

max time kernel
449s
max time network
431s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HerGame-1.0-pc.zip
Size

97.0MB
MD5

9b7ca19023720af0b38014ce6357650e
SHA1

8de7460d39d67a83e85e22cd926f0522c2cc2388
SHA256

600caf0bcdd14053ae181c7e5173a73cba7074c9bac5e874a1e75307f420e78d
SHA512

c9cc06f1e08c0b6686a6c67c084afc26951e602b7a058eea687f758f6918a79586431a4a80613ff7bcabffb5fa9c44a2c9a87c392daa2888746587c35d60c04e
SSDEEP

3145728:lhJVByKZqXy9GANbwm4AipkwWCNuIT4d1NJ:lHbyKUXpA5q3juQCn

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	HerGame.exe

Executes dropped EXE 4 IoCs

pid	Process
4368	HerGame.exe
4648	HerGame.exe
5696	MSIDB0E.tmp
544	HerGame.exe

Loads dropped DLL 28 IoCs

pid	Process
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
544	HerGame.exe
544	HerGame.exe
544	HerGame.exe
5596	MsiExec.exe
544	HerGame.exe
544	HerGame.exe
544	HerGame.exe
544	HerGame.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	HerGame.exe
File opened (read-only)	\??\J:	HerGame.exe
File opened (read-only)	\??\U:	HerGame.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	HerGame.exe
File opened (read-only)	\??\I:	HerGame.exe
File opened (read-only)	\??\L:	HerGame.exe
File opened (read-only)	\??\R:	HerGame.exe
File opened (read-only)	\??\W:	HerGame.exe
File opened (read-only)	\??\L:	HerGame.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	HerGame.exe
File opened (read-only)	\??\R:	HerGame.exe
File opened (read-only)	\??\X:	HerGame.exe
File opened (read-only)	\??\B:	HerGame.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	HerGame.exe
File opened (read-only)	\??\W:	HerGame.exe
File opened (read-only)	\??\Y:	HerGame.exe
File opened (read-only)	\??\J:	HerGame.exe
File opened (read-only)	\??\M:	HerGame.exe
File opened (read-only)	\??\N:	HerGame.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	HerGame.exe
File opened (read-only)	\??\E:	HerGame.exe
File opened (read-only)	\??\H:	HerGame.exe
File opened (read-only)	\??\P:	HerGame.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	HerGame.exe
File opened (read-only)	\??\O:	HerGame.exe
File opened (read-only)	\??\S:	HerGame.exe
File opened (read-only)	\??\X:	HerGame.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	HerGame.exe
File opened (read-only)	\??\Z:	HerGame.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	HerGame.exe
File opened (read-only)	\??\U:	HerGame.exe
File opened (read-only)	\??\O:	HerGame.exe
File opened (read-only)	\??\Q:	HerGame.exe
File opened (read-only)	\??\M:	HerGame.exe
File opened (read-only)	\??\A:	HerGame.exe
File opened (read-only)	\??\G:	HerGame.exe
File opened (read-only)	\??\K:	HerGame.exe
File opened (read-only)	\??\S:	HerGame.exe
File opened (read-only)	\??\P:	HerGame.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	HerGame.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	HerGame.exe
File opened (read-only)	\??\T:	HerGame.exe
File opened (read-only)	\??\V:	HerGame.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\backports\email\policy.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\moves\urllib\robotparser.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\images\map_marked.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\00nvl_mode.rpyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\slider\horizontal_idle_bar.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\moves\itertools.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\00keymap.rpy	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\00sideimage.rpyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\display\motion.py	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\__pycache__\loader.cpython-39.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\images\player_slave.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\email\mime\nonmultipart.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\backports\socketserver.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\display\dragdrop.py	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\builtins\newnext.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\websockets\frames.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\text\__pycache__\extras.cpython-39.pyc.64206720	HerGame.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\fnmatch.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\certifi\core.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\encodings\iso8859_8.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\http\cookiejar.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\gui\scrollbar\vertical_hover_bar.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\00accessibility.rpyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\__pycache__\parameter.cpython-39.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\encodings\mac_croatian.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\_strptime.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\sl2\slparser.py	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\translation\__pycache__\dialogue.cpython-39.pyc.63867616	HerGame.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\tl\None\common.rpym	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\asyncio\base_events.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\binhex.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\display\__pycache__\transition.cpython-39.pyc.65759248	HerGame.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\asyncio\constants.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\idna\intranges.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\rsa\asn1.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\translation\merge.py	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\encodings\cp932.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\encodings\koi8_u.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\backports\email\headerregistry.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\00mixers.rpyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\savetoken.py	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\vertical_idle_bar.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\collections\__init__.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\__pycache__\scriptedit.cpython-39.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\opcode.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\gl2\__pycache__\__init__.cpython-39.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\moves\tkinter\filedialog.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\sysconfig.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\websockets\__init__.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\_layout\classic_preferences.rpym	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\button\slot_idle_background.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\chardet\mbcssm.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\_layout\imagemap_load_save.rpym	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\__pycache__\atl.cpython-39.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\base64.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\future\moves\reprlib.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\_developer\inspector.rpymc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\gui\overlay\game_menu.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\tabnanny.pyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\00achievement.rpy	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\renpy\common\00console.rpyc	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\gui.rpy	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\game\gui\bar\left.png	msiexec.exe
File created	C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\ctypes\test\test_anon.pyc	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIACE8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB054.tmp	msiexec.exe
File created	C:\Windows\Installer\e58ab31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58ab2f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABEB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACB7.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACC7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5581DE80-67CA-42F6-A703-ED5A36CF7411}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDED8.tmp	msiexec.exe
File created	C:\Windows\Installer\e58ab2f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{5581DE80-67CA-42F6-A703-ED5A36CF7411}\icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{5581DE80-67CA-42F6-A703-ED5A36CF7411}\icon.exe	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4416	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDB0E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HerGame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HerGame.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4648	HerGame.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	HerGame.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	HerGame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	HerGame.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	HerGame.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList\Net\1 = "C:\\Users\\Admin\\Desktop\\HerGame-1.0-pc\\renpy\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\PackageCode = "20D5BD58DD4080640A94B41B979F9209"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CBFCB93A836FFC44EADC08BBA4701630\08ED1855AC766F247A30DEA563FC4711	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08ED1855AC766F247A30DEA563FC4711	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08ED1855AC766F247A30DEA563FC4711\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CBFCB93A836FFC44EADC08BBA4701630	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList\PackageName = "memory.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\ProductName = "HerGame"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\ProductIcon = "C:\\Windows\\Installer\\{5581DE80-67CA-42F6-A703-ED5A36CF7411}\\icon.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08ED1855AC766F247A30DEA563FC4711\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\HerGame-1.0-pc\\renpy\\"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c000000010000000400000000100000040000000100000010000000866912c070f1ecacacc2d5bca55ba129030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb1d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a140000000100000014000000dd040907a2f57a7d5253129295ee3880250da65962000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b6909000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410000000f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e72190000000100000010000000787d09f953c59978ecd8d6e44b38e24f2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	HerGame.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB	HerGame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 0f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	HerGame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 040000000100000010000000866912c070f1ecacacc2d5bca55ba129030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb1d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a140000000100000014000000dd040907a2f57a7d5253129295ee3880250da65962000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b6909000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410000000f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e722000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	HerGame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 190000000100000010000000787d09f953c59978ecd8d6e44b38e24f0f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb040000000100000010000000866912c070f1ecacacc2d5bca55ba1292000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	HerGame.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5080	msiexec.exe
5080	msiexec.exe
5696	MSIDB0E.tmp
5696	MSIDB0E.tmp
4416	powershell.exe
4416	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2352	7zG.exe
Token: 35	2352	7zG.exe
Token: SeSecurityPrivilege	2352	7zG.exe
Token: SeSecurityPrivilege	2352	7zG.exe
Token: SeSecurityPrivilege	5080	msiexec.exe
Token: SeCreateTokenPrivilege	4368	HerGame.exe
Token: SeAssignPrimaryTokenPrivilege	4368	HerGame.exe
Token: SeLockMemoryPrivilege	4368	HerGame.exe
Token: SeIncreaseQuotaPrivilege	4368	HerGame.exe
Token: SeMachineAccountPrivilege	4368	HerGame.exe
Token: SeTcbPrivilege	4368	HerGame.exe
Token: SeSecurityPrivilege	4368	HerGame.exe
Token: SeTakeOwnershipPrivilege	4368	HerGame.exe
Token: SeLoadDriverPrivilege	4368	HerGame.exe
Token: SeSystemProfilePrivilege	4368	HerGame.exe
Token: SeSystemtimePrivilege	4368	HerGame.exe
Token: SeProfSingleProcessPrivilege	4368	HerGame.exe
Token: SeIncBasePriorityPrivilege	4368	HerGame.exe
Token: SeCreatePagefilePrivilege	4368	HerGame.exe
Token: SeCreatePermanentPrivilege	4368	HerGame.exe
Token: SeBackupPrivilege	4368	HerGame.exe
Token: SeRestorePrivilege	4368	HerGame.exe
Token: SeShutdownPrivilege	4368	HerGame.exe
Token: SeDebugPrivilege	4368	HerGame.exe
Token: SeAuditPrivilege	4368	HerGame.exe
Token: SeSystemEnvironmentPrivilege	4368	HerGame.exe
Token: SeChangeNotifyPrivilege	4368	HerGame.exe
Token: SeRemoteShutdownPrivilege	4368	HerGame.exe
Token: SeUndockPrivilege	4368	HerGame.exe
Token: SeSyncAgentPrivilege	4368	HerGame.exe
Token: SeEnableDelegationPrivilege	4368	HerGame.exe
Token: SeManageVolumePrivilege	4368	HerGame.exe
Token: SeImpersonatePrivilege	4368	HerGame.exe
Token: SeCreateGlobalPrivilege	4368	HerGame.exe
Token: SeCreateTokenPrivilege	4368	HerGame.exe
Token: SeAssignPrimaryTokenPrivilege	4368	HerGame.exe
Token: SeLockMemoryPrivilege	4368	HerGame.exe
Token: SeIncreaseQuotaPrivilege	4368	HerGame.exe
Token: SeMachineAccountPrivilege	4368	HerGame.exe
Token: SeTcbPrivilege	4368	HerGame.exe
Token: SeSecurityPrivilege	4368	HerGame.exe
Token: SeTakeOwnershipPrivilege	4368	HerGame.exe
Token: SeLoadDriverPrivilege	4368	HerGame.exe
Token: SeSystemProfilePrivilege	4368	HerGame.exe
Token: SeSystemtimePrivilege	4368	HerGame.exe
Token: SeProfSingleProcessPrivilege	4368	HerGame.exe
Token: SeIncBasePriorityPrivilege	4368	HerGame.exe
Token: SeCreatePagefilePrivilege	4368	HerGame.exe
Token: SeCreatePermanentPrivilege	4368	HerGame.exe
Token: SeBackupPrivilege	4368	HerGame.exe
Token: SeRestorePrivilege	4368	HerGame.exe
Token: SeShutdownPrivilege	4368	HerGame.exe
Token: SeDebugPrivilege	4368	HerGame.exe
Token: SeAuditPrivilege	4368	HerGame.exe
Token: SeSystemEnvironmentPrivilege	4368	HerGame.exe
Token: SeChangeNotifyPrivilege	4368	HerGame.exe
Token: SeRemoteShutdownPrivilege	4368	HerGame.exe
Token: SeUndockPrivilege	4368	HerGame.exe
Token: SeSyncAgentPrivilege	4368	HerGame.exe
Token: SeEnableDelegationPrivilege	4368	HerGame.exe
Token: SeManageVolumePrivilege	4368	HerGame.exe
Token: SeImpersonatePrivilege	4368	HerGame.exe
Token: SeCreateGlobalPrivilege	4368	HerGame.exe
Token: SeCreateTokenPrivilege	4368	HerGame.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2352	7zG.exe
4368	HerGame.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
544	HerGame.exe
544	HerGame.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2280	5080	msiexec.exe	99
PID 5080 wrote to memory of 2280	5080	msiexec.exe	99
PID 5080 wrote to memory of 2280	5080	msiexec.exe	99
PID 4368 wrote to memory of 4648	4368	HerGame.exe	100
PID 4368 wrote to memory of 4648	4368	HerGame.exe	100
PID 4368 wrote to memory of 4648	4368	HerGame.exe	100
PID 5080 wrote to memory of 5548	5080	msiexec.exe	104
PID 5080 wrote to memory of 5548	5080	msiexec.exe	104
PID 5080 wrote to memory of 5596	5080	msiexec.exe	106
PID 5080 wrote to memory of 5596	5080	msiexec.exe	106
PID 5080 wrote to memory of 5596	5080	msiexec.exe	106
PID 5080 wrote to memory of 5696	5080	msiexec.exe	107
PID 5080 wrote to memory of 5696	5080	msiexec.exe	107
PID 5080 wrote to memory of 5696	5080	msiexec.exe	107
PID 544 wrote to memory of 6076	544	HerGame.exe	110
PID 544 wrote to memory of 6076	544	HerGame.exe	110
PID 544 wrote to memory of 4036	544	HerGame.exe	112
PID 544 wrote to memory of 4036	544	HerGame.exe	112
PID 5596 wrote to memory of 4416	5596	MsiExec.exe	114
PID 5596 wrote to memory of 4416	5596	MsiExec.exe	114
PID 5596 wrote to memory of 4416	5596	MsiExec.exe	114
PID 544 wrote to memory of 4624	544	HerGame.exe	116
PID 544 wrote to memory of 4624	544	HerGame.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\HerGame-1.0-pc.zip
1⤵
PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\HerGame-1.0-pc\" -spe -an -ai#7zMap23521:86:7zEvent29116
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2352

C:\Users\Admin\Desktop\HerGame-1.0-pc\HerGame.exe
"C:\Users\Admin\Desktop\HerGame-1.0-pc\HerGame.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\Desktop\HerGame-1.0-pc\HerGame.exe
  "C:\Users\Admin\Desktop\HerGame-1.0-pc\HerGame.exe" /i C:\Users\Admin\Desktop\HerGame-1.0-pc\renpy\memory.msi AI_EUIMSI=1 TARGETDIR="F:\" APPDIR="C:\Program Files (x86)\Her Game\HerGame" AppsShutdownOption="All" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\Desktop\HerGame-1.0-pc\HerGame.exe" AI_SETUPEXEPATH="C:\Users\Admin\Desktop\HerGame-1.0-pc\HerGame.exe" AI_INSTALL="1" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HerGame" SECONDSEQUENCE="1" CLIENTPROCESSID="4368" CHAINERUIPROCESSID="4368Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" AI_INSTALLPERUSER="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_DETECTED_DOTNET_VERSION="4.8" AI_DETECTED_ADMIN_USER="1" AI_DETECTED_INTERNET_CONNECTION="1" SETUPEXEDIR="C:\Users\Admin\Desktop\HerGame-1.0-pc\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1722598895 "
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - System Time Discovery
  PID:4648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6CF820CA08FAED053321984959EAEA4F C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3E66DD11685BB0566EB638E2C9834570
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssE84B.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiE848.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrE849.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrE84A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4416
- C:\Windows\Installer\MSIDB0E.tmp
  "C:\Windows\Installer\MSIDB0E.tmp" "C:\Program Files (x86)\Her Game\HerGame\HerGame.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5136

C:\Program Files (x86)\Her Game\HerGame\HerGame.exe
"C:\Program Files (x86)\Her Game\HerGame\HerGame.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:6076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:4624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x478
1⤵
PID:5256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58ab30.rbs

Filesize
139KB

MD5
98eb3594757b0ac52e71747d8b94917e

SHA1
105ca9c09bf866bde32bb4a9c917ffdb87210c2e

SHA256
8b0be8a53cbdcb03f047f583554f9a4369b685cda599d4118f37fadc67d8b2e1

SHA512
ea8b13c18ebb745b588f8bd3ef5115b10b79f009848210d508eede83538f58ac09269a4ae895169dc0c4f77db0f621f7aed1f4e0d816f3057d2c62934db9bb6b

Download Submit
C:\Program Files (x86)\Her Game\HerGame\HerGame.exe

Filesize
102KB

MD5
84a05797b7a7f1070b33467df0fc8cc7

SHA1
a55bc78a702168e220264c0e07474ad97ff980c0

SHA256
eccc994dcea470fe4a4b606f93cba2a4467240d377e07748218a1abb7085909e

SHA512
48c2555e1296f29e1f36380c892536ad59ebbe407d8e482ce981980a7cf4f04be07fa0d1cba17c51f8d5e1d9de9d4443e2c9c9e185dda2500fe65c88aaeab6d9

Download Submit
C:\Program Files (x86)\Her Game\HerGame\HerGame.py

Filesize
8KB

MD5
802e9dc460788d791f26a928765d879a

SHA1
4018620d40e8ec4f2ac3942f1d01dc3969853b0e

SHA256
5b6b977565179d1f2b49ea3dc6e5433121f72be8e35202e8c80d68455532d7f9

SHA512
03abfb71a3e670977c0da587aa04b53b422750f8c94bb45988e06f51a291a19921a8fb93bf013ef1910e756fea223363de9e8bd000408f44ff4971d54c885ee8

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\bar\bottom.png

Filesize
426B

MD5
711d3cc42be46f5b77e825fbe22bb61a

SHA1
f3e083ab13d847bf640eda4e3b7a2254964229a1

SHA256
12f872cfcd939a54f6d408998f4d7eee96543f0e98cc094de571022c4dbabbf4

SHA512
4738b82d3d1f1e00ebbc8a9383bd8563593a2a852bbebc97761516298b12a2a64af149e4e85367c95051ea8eb5c77c7e783c1213f7135a5c4390b99a3aa82a4c

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\bar\left.png

Filesize
291B

MD5
679299310a1d1774825facbb53e96f8a

SHA1
7c2447161bb36c747e87bb885c9af31293d8dbae

SHA256
fd9793094ed96932cd7ea7fd8f04cfbc6470cc24f093ff137c48b5011ac5c9d2

SHA512
555da836f29899d73759d542aa4d1fb10259a4f03a216a998985eb763bbfa741399cfabf9de4df53cd6a6b37b3c6e1d33cf25c05d3227823029152040e49ad6b

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\check_foreground.png

Filesize
91B

MD5
68e4eec1c39120b26ba4d2977936fb14

SHA1
bd4b5dae0f9841b96c8303362267d32889f8d30e

SHA256
2b6955a6300da5ec2876199ff0a150b769e0cf24eee79ffe31167871e350e868

SHA512
5d11b1d50ffb958fab291e3caddb279eed0952c8597e2c4454de71f8d0941bd9c9f39592dde9c8b572b3efdd1c38641886dbe5de2c1f090cf768e51daf900c7c

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\check_selected_foreground.png

Filesize
126B

MD5
8220a260ff57f3b64cecc0da6d19c9b7

SHA1
f859b97f40132d1154c6c31be6fdc58737cd6955

SHA256
c484fe904787950cb4323f9d4b018cbecbd3172eed69bb648555348a6099df2a

SHA512
387803ec1a9a8889b1089e0be1bd8e96c3156ddedb396d08f7c3b0c259b16482d3bb4612d2085b5499503ec1fa34ef9e241a4c46a11362239053cfeaaa8a291f

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\choice_hover_background.png

Filesize
916B

MD5
a6a385c499b35ea36c84c1da4d7ae0ca

SHA1
438f90c55350e9b87e1203270217282d37cbbdd3

SHA256
189b612dbcba1a29fed2969c137d97392ac90e3641e765b62b83c533720e3fba

SHA512
84ff68e40baea36c47597d1e5638dc8ceac0c418be07edc4d5e939decc3af934adaac17fca2681ab3572e51e890a56e6b9d985d483508322981a606775ae0883

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\choice_idle_background.png

Filesize
841B

MD5
5296c31e005a38581227e23b7ef93dc2

SHA1
25324efec39b3d51f6f16ea53c4fea0c2bb3f234

SHA256
cc9f3e64b4f7a41e1c229c158b0468b72ab3016029f5c3da448261d0be827317

SHA512
a639ad24ca5497f068de5d2245337f8e91a54217ef2fdb7315df26f10337252ed534568e40a9234fce10c3235da980de2de2fc3bc304b293686081036cc4ed22

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\hover_background.png

Filesize
253B

MD5
a33a2df278ca66c3d4430e97138cd3b3

SHA1
7cf6d3b7da08d0aea0c7444dc65e5f0b49b1c728

SHA256
487243bf807815ddf783f7289369c06cd910f5db48e6405cd5de8d97dcd1298c

SHA512
8b5597566ca9d23f397d0d2b4de664b3c4e8d4820d2698d384fd9b5c25f88bcdc8c19fccb7e894e69691235e4b9467e87adf2cef103d4a3ea49f92d681d998ce

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\quick_hover_background.png

Filesize
133B

MD5
ed0f993cffc834b160dd151cad04aac9

SHA1
290008c415a82da05d4509a1f18f6d872ee7ac68

SHA256
a797767c0ab31b5eec7ec553ad3924776d078fbee432a4623f638cf047db0b9f

SHA512
5f6b40dfbe663ddc787a6588051b1a8e61987bfbb8daa933c442e151f3cccd8bfe030fe7977319b61f628d90b78b627d54f12055f411b2201c28e51b8c3de458

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\slot_hover_background.png

Filesize
1KB

MD5
af2b1ed9b27774d5f00df0b044d82fb0

SHA1
705cba669dac3f7561c0e597d0224dc2cd2b7a1c

SHA256
4b0671562f0a227a5cd496c6d8f4b75990b66bced094af0063131fb7e019b15d

SHA512
a2e80e94d6310b97219b8dabb0b92500aba483b40a79ac37b6cc9b27214d723f3d1244d961022d2b877aafbdca6f934483ec54e5f148b4a448c789733aa2fffc

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\button\slot_idle_background.png

Filesize
1KB

MD5
f1a5c9a8d4ba6e359d98783f84d0a64f

SHA1
77570557c2c5ccd760e7d4d4832a72a490b9df2d

SHA256
b6714f7cde16c7f264cfec9383f20a8682b7d70736e4e760f6e750d209dc2d30

SHA512
61b6cef189893b3b397b01def30e8fe7471e3746152d3137b16133476c2db7f177dbee1ea0bff03426b86dd3fa7278ab6236544c011cfce50cf061e4c50cb964

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\button\check_foreground.png

Filesize
94B

MD5
ab74e0a0c0c7a221fb6f04f9687d31ed

SHA1
7749697eb1ae50968cd3d2ce105e29c5a023be3c

SHA256
8885279a7923cdb095cc4ba299fe0be733ab2d44969c205b2d901a43cd9c03ed

SHA512
3bfb94e9d453a5b0d4fe762c414a9b2addd7464ab99f30728a38d81b7de4ff3d8f2c0342201b1cb34026cf347a2aa1d99aaf2f634d8d152727f2d8a3d07c13b9

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\button\check_selected_foreground.png

Filesize
134B

MD5
5618b992247c58453dd8c516621f1b1a

SHA1
35960296a2092c1da37ec595197d4edb324896b4

SHA256
1c77dbe03a383c9e5d32f40de360970a39116fcec3e698d0dd3571c5eb9c0b7b

SHA512
07ee836dd5fef72928ea1c30c7413d593eefe4387713c1701e13fc925ebdf9bbd0236dd43238144ba39d5ace502775da760b95bae6f5c52d5607aa7d3dbccb5b

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\button\hover_background.png

Filesize
306B

MD5
d09cfba721e0349f8dd8559454349cda

SHA1
5d4bec0dbaf9452e5392dd7ea64651084357f2dc

SHA256
df3dab82dfcbd4cfd0ee71b5fe6e075c2075d41d7c3e2343020292ab202617a0

SHA512
fc42ad5fda9051e75d7db145eacacf71b0c0432934cc2d04278971f1a1ae09975071208529adf72f00e88d385340b10ee642e03bfaf655a15e39fff0ddddcfad

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\horizontal_hover_bar.png

Filesize
258B

MD5
f77196c36d04de0f0fe8a94a6875d30f

SHA1
0f7ddcba271346714387e9eb469b018baea7f69d

SHA256
42885f4104d3c72c4cfc32d3da196a62af6399085f6a13b95432eb5888d6a2a1

SHA512
4a0e9b8a9c68a8995ff61f596bfff9253c9125a57c988f0bf6db0781858c7a509543b31080c51ffb5d70b684b0ed5a09bf394db32ef11a29716f412a962a37ca

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\horizontal_hover_thumb.png

Filesize
260B

MD5
e631e1c168ec073ad0ee260cc8191821

SHA1
808e1b9ac86f0f99b8a82d0697809c2c8b361bc5

SHA256
d3802abf212182b0b2f789c1891c75d2c748cfa34b9ca27b46937157058e5194

SHA512
851fc170790e3a457bb35e81c3c3ad07868fd5d4255ca1f508c65dd59ca549d972557c9328e463ba9c328091bf99d7568f0b20d75b6368921e60b614bd618751

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\horizontal_idle_bar.png

Filesize
260B

MD5
440577166749804fe0bd875a077cb626

SHA1
8177b6dfb8c58c9e1b6f9005317156647a31496e

SHA256
113cbdf4a1e7f549459864e0229017c05be030c4ebea7a97d6945339702ec683

SHA512
c124c4e9eebe84f750949a7469cbc21eaed16d7692ba64a36f11fa65f59e06d0c7efbe66f9b4548fc2a2b170e5ba8479b4b08a4cf05c84c3fd17fa25ea2ad249

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\horizontal_idle_thumb.png

Filesize
260B

MD5
b955c7ad138e7492f2f8d7ed2efb338b

SHA1
0e5fbb5e9d6e289f6205872c60fde908f6338055

SHA256
1ff25fecbdec7e464fbb6b1ffa4db90f71e381da9265b46ca6d0e1a641fb5525

SHA512
c3cc8e9b698316d7c7ee7c29bcb7969701af2428a94ae80379b737491731230b6a3506cb8536f1380218d7821f6339ca4582ebc4e32ca1d19e23220315ec1192

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\vertical_hover_bar.png

Filesize
381B

MD5
7e07d1116ae66f40aeab5e80fa7c067a

SHA1
690cffa62be8d1e84e02be1d4a8689469fea0b20

SHA256
e05433b118b222077a4f02aedc88b56abaeef0b731d4d916a09d9aa010519216

SHA512
d34a646301b3b83ae0c38a9471f34cc5489f11088ab086d01f85a50c5b833618f47086f7fa6c071cc1f8363e6eeec05890f0806697ad6eae34bac98281072e8c

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\vertical_hover_thumb.png

Filesize
383B

MD5
2cc0fd080805382418d31b0512dbd6ab

SHA1
a2ef7bad7f56013905604c99c698f4f0ccd849a8

SHA256
b10759b0caaf50ff9124df6bd61059c9e8194d637cb17ebc34d4ffb3316cd8e1

SHA512
aeb92db2c018e6844bb7ddf99df81f35eea5132ee1dffc21859adb4f4f3e787d48fa347e3f5d8200212c6bdaa176fb506230e7ef1cf42e10cb11d670817e0de9

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\vertical_idle_bar.png

Filesize
383B

MD5
4fc09c9a01f428d10577a4bc2b94b5ba

SHA1
fdba3efa0685f3631b12f000c9c7a3601a579662

SHA256
f31049a87862760ac85bc359374b2257b5f1877309c0fa7319f3ef9fb5f59a74

SHA512
1e5ecad4fb2afa8c338e6eb3cd41b454e9f15c98a8d4bafd594a4fb5ca4e90954947f52857ca28bc99f4a4205d624e26d4c2755370d3917d7dd17b3e9f864bef

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\gui\phone\scrollbar\vertical_idle_thumb.png

Filesize
383B

MD5
69b35b02654ea0f3de0cebab78781070

SHA1
fa64d6833ecb0d077dfc6d8330bd8d8bed6f9dcc

SHA256
ffdb2fe8066043a98b72a7b99225edd3a0c7d6e8803a1858fdca3e87d15bfbef

SHA512
dc3e98b2f646908005b926bc5f4e6becf54602f7c5329d451f5d199a2d2eec02b9cb81665e484e92ed76c1a69e6e46b4848b6fbcffbd50c93c4b603158335fe4

Download Submit
C:\Program Files (x86)\Her Game\HerGame\game\saves\persistent.1722839602.tmp

Filesize
1KB

MD5
a6cac59907e7790203af18efedc182ce

SHA1
cdaa2bdca6bad443245835d2b27817107b21b1eb

SHA256
09c69d0924fae9b920fa95e1c88b5a88f83d50cc2a2def1f42069e3cdb9e573a

SHA512
d3694f4532a67d293050acbb0cde663fee3be3766d87a2e072ed5f53f72ea83d682529537aa7bd8d2300e8946329c93951e715e7cc4d2a1d76b417739b1db0f5

Download Submit
C:\Program Files (x86)\Her Game\HerGame\lib\py3-linux-x86_64\python

Filesize
5KB

MD5
38824d862966195121486cfa70a998a2

SHA1
532b11579df73a2b21e5ee76c52b0c8a68d5dce0

SHA256
7bb681352218369a500d272b1e0cc57859cbd5e91457322859de0206df16cd4a

SHA512
96489ffb3ad8a23c2bc3188b0bf7e265f13fe6502bd2899cd3512fafe595cb7bbfcd911a2f5cf7d761accef98d152023b57e2731aa6eb26a79e9d524d500fa3b

Download Submit
C:\Program Files (x86)\Her Game\HerGame\lib\py3-windows-x86_64\libpython3.9.dll

Filesize
8.3MB

MD5
002cd601ae21e3fd5742805729ab330c

SHA1
8bdc01e1281ff3f6b8db3087f02fcce3c9accf43

SHA256
85758734a56b8020b4ba25136e63b2fb88e7f84255a1936cc1dcc75832550faf

SHA512
388370591e8395fae7fad9567747f966c82584e95ecef43b016f53ba57877e83ba24362d3a627e04102bfe34ef2e3d22f3b7786401f723eae38465c3adc23736

Download Submit
C:\Program Files (x86)\Her Game\HerGame\lib\py3-windows-x86_64\librenpython.dll

Filesize
20.6MB

MD5
b599ba478b836b390d1f406292ef6fd3

SHA1
a75efdfeeb0910eb6e3e27859e9b2b510b4af14b

SHA256
289c5163b459cab9d938332cea59e826a1c7362464c37ba500c8409c56687c32

SHA512
850741209708b9defdec0a142212220be002825bab0f02917962747936d844832257bdb46e24a4c51a7c1dd1a21b9a014bebcb9edfbe50b74117381461745192

Download Submit
C:\Program Files (x86)\Her Game\HerGame\lib\py3-windows-x86_64\libwinpthread-1.dll

Filesize
344KB

MD5
da67da022bbc1bb9409e3328c1cb64e1

SHA1
e1fd29f4256d7066f05d113cb8e96e1aebaa38e7

SHA256
00d784e7e002c1b01f3146c87f30030f169843988f87c9631cb2df211979286b

SHA512
24ba4936ff149f0875b3e4c7e36e80f941130faccd4d6296d68c8af8b0e647c37d0822d477218ab0b3d4b51f24cd1dfa1ace54adfbd175d122036c3a7e787ebf

Download Submit
C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\codecs.pyc

Filesize
33KB

MD5
d9801f56a07c692c5ba1982ae759180b

SHA1
ea7e44451c9cf75635166c2d0f9bde455cd35021

SHA256
e9fe33d5ccb8145e92b54544621c493fb2809de6c9252734d23e05236f4fce82

SHA512
c386b9cb7fadc38f49915b092150492f64d49a70686d19993fdbb922022dba920c59676b341c7db38107179fbbca581282ca3825e93dcd2e87b0a4cc600f2ef0

Download Submit
C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\encodings\__init__.pyc

Filesize
3KB

MD5
c22d42b14cc478f191d6a79257ad0f94

SHA1
22c1481dda824cec94ec19d87cb1e5e7abdc94b3

SHA256
b7e5f4f6a5212b63e1a554600ff55fcf6f6bee86012fce1cbef6c334016bb12c

SHA512
2c02c8bbe8baf4928237d07711e4748fa55248fe96033d9095d6dcb811204e5a90e1da43da08db524ec1c08092986f6bba433e0c6b6fe9ac60068d5805f78067

Download Submit
C:\Program Files (x86)\Her Game\HerGame\lib\python3.9\site.pyc

Filesize
16KB

MD5
33a3e254cf3488dc81cffd0e34d6a175

SHA1
00fd9b3faf38a277e464595105044dcb3edd1c16

SHA256
0e0afed50903972b80a47f19f430026a0cfac10778e5f5e9025b1cf0c589ac20

SHA512
a67babd2d6878a4d76187110337317ae5ed21e5b71a70f8202ed74216b17c188e3f652ccc1e0cd722e0b5577cf382d3a90fe5ec1aacf38d292ee75c4badefc1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
719B

MD5
28bc19a7cc607d718102b84fc9f09871

SHA1
39d1445b8267f6c64398dbdc3b36cb8bf61779ee

SHA256
2182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d

SHA512
dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D682FDDA10064185EC8111DC39DBA8EC

Filesize
72KB

MD5
f22f3955998d56a73ec6ffc49b61fc71

SHA1
093145fc8f29ac4e7922c1d029a27916afaeb6d6

SHA256
f074daf73d3bda04b7e338e683c6922f1cce66a347ded0a6e7bf371f79513fc6

SHA512
45393e1f4c9cdee494464b98b81a33f93452934384b156f16d39ce06257450407ec54db47800da943030fdb0cfb4839b7584bb8dcfb122c45698137553eefc6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
446B

MD5
a6547ead2a8de6dd03dea45d37170403

SHA1
69bc6e19e0bc7a0909e5f5eb4ad06304ff8356b7

SHA256
52a266228e882aa6a6203c46ba1d2e54e50d7377ec1471ba3dd08deabac0ccfb

SHA512
93d00d896b758c690820da5e2282527d654198af1f7b78b1354a09ed40f672fb3f3367d7031a69e94a918ef38c97f9283007046cc6905a7e0bccf173e976934e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC

Filesize
308B

MD5
13ef579ccb52b212df4f6483f48aed96

SHA1
0b030f9eae7e6905ae1f393369e09c0e62c33896

SHA256
88f04a4a8a62e5af2053329d2302ab499410eca19cbcb3154ffc90b710e220f9

SHA512
e8276db9d1a05a6a6d374a97acb5039b0508365b145b7699a5a447dec1a2f9e134aba2f954790b5d91421f77c074e16286c660d32508d8004aec7f6de6155dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4368\banner.jpg

Filesize
2KB

MD5
64b175efd4afd1cd24fea952c80d1554

SHA1
5174df814689e080aca25fbc846ed704c3467d41

SHA256
e5d012e30e3f471a15c3e28f04439167c6247db355d2ec75a47feb3e3edcab12

SHA512
daa8b6a73e7632495fd830c71bf2ac389d4f0fc8a267ec760e72b2b5974b9aa781406d22c5ac92468902544526cace7c4aacd6806173e2b679f43ec4e527d338

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4368\dialog.jpg

Filesize
11KB

MD5
1b46f35e943ba70c0e99f62f90d8f509

SHA1
8eea5dba1a4d602cce89c82a62d6fc551192ef2a

SHA256
842d87a30c84d1d9c4d71d969cd69a4b083c374a43501b7d1bc9b94e1d564d33

SHA512
2f7289c1f06f5cb137bd6a36b654c6a3e5f87096a6b8481906cec33a795fce410ed8a8381aca1a27282b9ed58ffc9be14b5850035b1b8fff7fb66ec0e2abd9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5C64.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5D51.tmp

Filesize
1.1MB

MD5
58c6476771f68f57661d0f6533cb70ef

SHA1
8080de39939f0a8f1e0c529cca30bf38b0e6abf2

SHA256
7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f

SHA512
2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpfvhvtl.bsc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi7B74.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Roaming\RenPy\HerGame-1721992267\auto-1-LT1.save

Filesize
10KB

MD5
d605f2347c5fef4fa10f229501dc508f

SHA1
91eeb5107284f83da3df07db125cfd5c08194dd4

SHA256
3313c2eccfac8f9c94516d07f8fbdb870d2262d3c88efee84999b1dd2dea6a22

SHA512
1fd688c446a93acdff78a47572dc31956bd278d0c34414d50665a94b043e8edfceb213923670c1517f785bd91d620fb91ca339d1514d48745c91504e7d751ff6

Download Submit
C:\Users\Admin\AppData\Roaming\RenPy\HerGame-1721992267\sync\text.txt

Filesize
5B

MD5
f4020e91252aafd4b18d8acd17f883db

SHA1
748d77dbb8bdb0dd330c099e7fde82da053fb1ff

SHA256
314ad142957febe390cc7223b4deb1d1b21c187f84f6e7257a23fe46c27fcae3

SHA512
301ddd0e34cbd842dae99a2cc4ccbfeb6ee8b3def39c214a719fa9edc26d7142749bbe6e992d26353dc167febbab0dbc05476b68a86ad93cab5f299f0aaf916d

Download Submit
C:\Users\Admin\Desktop\HerGame-1.0-pc\HerGame.exe

Filesize
3.6MB

MD5
9e2da3dfddcee72b7fd0f7ad58f5e92d

SHA1
4d589c918d15bf428cf73910690ab80279124032

SHA256
8aac8dd8b6b78673c23c26adb7a872fc1a243e000397c6e857d9f4c107f55516

SHA512
75c9c596fdf5e4d2d2578a27f1e502a0018ba00d6bba68baa250c65b1dae066410756961526262c7c685dc4c7a27f07574615db7a3021fc917d4da240399b533

Download Submit
C:\Users\Admin\Desktop\HerGame-1.0-pc\game\gui\slider\horizontal_idle_bar.png

Filesize
291B

MD5
0a356adfcb1ef7a78191e0ca701655c5

SHA1
3aa91d522aecc812fafecf58460c83c15d5de9ab

SHA256
5f074b80af345ab41b5fc0caa7230fc7c714b8c464411b4d3aff74c6c58083a9

SHA512
ce9af72d496d0f16644858bf1a34cd3ae884f0882d2c27f3607e3968df11e8386a9a6243eb314de11dcfa4d08e0151ce246f6c78bd1e7cc5686d1d77e4a4fe71

Download Submit
C:\Users\Admin\Desktop\HerGame-1.0-pc\game\gui\slider\vertical_idle_bar.png

Filesize
425B

MD5
37cd5d19c31a5728607e250e3a287e88

SHA1
9922f1bde631fe8bb0aebeb033c7cdb8772f788a

SHA256
21258339236ee9ca1d8d17fbd2e39679d6020eb73f1a33b48efbb3944f352142

SHA512
bf6b88ef5cb1141927ec3de584fb137bb92aa56d11b034dd072675777326b18eb03b164511e31f4248549510b21c004f17129e2ae9ad45c529175aa3bbde8b18

Download Submit
C:\Users\Admin\Desktop\HerGame-1.0-pc\renpy\memory.msi

Filesize
3.4MB

MD5
7d2dd046ae5a8dc923c03e7e7fd17b08

SHA1
cf967cf23ad67936c65de09e86f6addb0822c91d

SHA256
d04500c500d08cf46d916364c2f7f0c460622518033d586291bc9ff7f77a8091

SHA512
1ef16768e797d119bf1a2c096e5c8de4b63c649897df23e11dc0cb5ec9367a3029333fdb5e90013af9a1cc09a165abbc99dac031acbcd989f5801e17ed315fe1

Download Submit
C:\Windows\Installer\MSIDB0E.tmp

Filesize
397KB

MD5
0c8696262850937c0c34da3cd24b2bb0

SHA1
7dbf638bd24bd19e9d2258f483c7ae244c7b20f1

SHA256
06a80941ef4d514fc6845f0a82cdae80d5dc23becf53797e45656473aa1e98dc

SHA512
b1ad22b66af5b97d78be0585cda179f45ae200693b4082d670dead04eac9977eec1cbd687eea92ddd8d38474b6fb44125aaa3841d76243ffc47007dbed0aae6a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
495246f8ab6df11abe3833e14e69852a

SHA1
ad7a0ecdd7469ee8a1e766ea677936d8c80452ee

SHA256
5ad690ff0bf4d9efd67ccadcd9558dba0d3a98aec01fa4a95e083a2e0fb1f9c6

SHA512
db0ade8867b91259aea04d3695f57aa65b2b9cf614bb1cc5a4c327c527e32870243fec082c2163c59fe6517cb06f7024b9f09d5d886c92ee0c839712d74588a8

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b8fe7d1d-ee47-4fd1-909c-f50e7a7391a2}_OnDiskSnapshotProp

Filesize
6KB

MD5
0e13571b6e3017c8e53d36e63470f194

SHA1
16b473879818179971fc77964cb6d1c77b28ed46

SHA256
bf132ea2cfc5ec68f527d801014cf85a6bd3f55249b7f1b64285389f3d45f262

SHA512
21c701e500f5a67071a17b8c389cdf896e88f737f17953ad9b20e147064d2993881e2c839120fa7933fb253b4d820670f61685a3e5312e5eb9c80acd9f4f6f6f

Download Submit
memory/4416-4915-0x0000000007470000-0x00000000074A2000-memory.dmp

Filesize
200KB

Download
memory/4416-4913-0x0000000006640000-0x0000000006662000-memory.dmp

Filesize
136KB

Download
memory/4416-4891-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-4892-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/4416-4893-0x0000000006090000-0x00000000060DC000-memory.dmp

Filesize
304KB

Download
memory/4416-4850-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/4416-4910-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/4416-4916-0x000000006DF00000-0x000000006DF4C000-memory.dmp

Filesize
304KB

Download
memory/4416-4881-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/4416-4912-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/4416-4877-0x00000000050B0000-0x00000000050D2000-memory.dmp

Filesize
136KB

Download
memory/4416-4914-0x00000000083F0000-0x0000000008994000-memory.dmp

Filesize
5.6MB

Download
memory/4416-4911-0x00000000065B0000-0x00000000065CA000-memory.dmp

Filesize
104KB

Download
memory/4416-4926-0x00000000074B0000-0x00000000074CE000-memory.dmp

Filesize
120KB

Download
memory/4416-4927-0x00000000074E0000-0x0000000007583000-memory.dmp

Filesize
652KB

Download
memory/4416-4928-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/4416-4929-0x0000000007740000-0x0000000007751000-memory.dmp

Filesize
68KB

Download
memory/4416-4930-0x0000000007770000-0x000000000777E000-memory.dmp

Filesize
56KB

Download
memory/4416-4931-0x0000000007790000-0x00000000077A4000-memory.dmp

Filesize
80KB

Download
memory/4416-4932-0x0000000007E60000-0x0000000007E7A000-memory.dmp

Filesize
104KB

Download
memory/4416-4933-0x0000000007E40000-0x0000000007E48000-memory.dmp

Filesize
32KB

Download
memory/4416-4849-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/4416-4880-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download