16f7d9d609c24c5af75c0141059d49008eb9b1f016d198e224bdb486668cc7b5

Resubmissions

11/08/2024, 00:23

240811-apyleszfnh 8

11/08/2024, 00:12

240811-ahh76azdjb 7

Analysis

max time kernel
421s
max time network
423s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 00:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Size

3.3MB
MD5

e23d97827ea3c90cd85f2d11402e8940
SHA1

67c01979b3516f9c3082cc05367142a74e413be8
SHA256

16f7d9d609c24c5af75c0141059d49008eb9b1f016d198e224bdb486668cc7b5
SHA512

e9dfd9ebf77aa615b17c05f99a5efed0c5dc993b7ca59800aa7ffa45d0d7fe4e207d0e4386c4fd9b11ceb49b5a4d28b4014ab9d6327ed86a8321cd9f3e90f646
SSDEEP

98304:EyasyD6Lvd557Vh2EKTlpFGuKIKRv6owpuC:XyOT57V7jFiowgC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Executes dropped EXE 2 IoCs

pid	Process
3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
2628	sysinfo-app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
2220	powershell.exe
2220	powershell.exe
4768	powershell.exe
4768	powershell.exe
4152	powershell.exe
4152	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
1200	powershell.exe
1200	powershell.exe
1200	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	powershell.exe
Token: SeSecurityPrivilege	2220	powershell.exe
Token: SeTakeOwnershipPrivilege	2220	powershell.exe
Token: SeLoadDriverPrivilege	2220	powershell.exe
Token: SeSystemProfilePrivilege	2220	powershell.exe
Token: SeSystemtimePrivilege	2220	powershell.exe
Token: SeProfSingleProcessPrivilege	2220	powershell.exe
Token: SeIncBasePriorityPrivilege	2220	powershell.exe
Token: SeCreatePagefilePrivilege	2220	powershell.exe
Token: SeBackupPrivilege	2220	powershell.exe
Token: SeRestorePrivilege	2220	powershell.exe
Token: SeShutdownPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeSystemEnvironmentPrivilege	2220	powershell.exe
Token: SeRemoteShutdownPrivilege	2220	powershell.exe
Token: SeUndockPrivilege	2220	powershell.exe
Token: SeManageVolumePrivilege	2220	powershell.exe
Token: 33	2220	powershell.exe
Token: 34	2220	powershell.exe
Token: 35	2220	powershell.exe
Token: 36	2220	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeIncreaseQuotaPrivilege	4768	powershell.exe
Token: SeSecurityPrivilege	4768	powershell.exe
Token: SeTakeOwnershipPrivilege	4768	powershell.exe
Token: SeLoadDriverPrivilege	4768	powershell.exe
Token: SeSystemProfilePrivilege	4768	powershell.exe
Token: SeSystemtimePrivilege	4768	powershell.exe
Token: SeProfSingleProcessPrivilege	4768	powershell.exe
Token: SeIncBasePriorityPrivilege	4768	powershell.exe
Token: SeCreatePagefilePrivilege	4768	powershell.exe
Token: SeBackupPrivilege	4768	powershell.exe
Token: SeRestorePrivilege	4768	powershell.exe
Token: SeShutdownPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeSystemEnvironmentPrivilege	4768	powershell.exe
Token: SeRemoteShutdownPrivilege	4768	powershell.exe
Token: SeUndockPrivilege	4768	powershell.exe
Token: SeManageVolumePrivilege	4768	powershell.exe
Token: 33	4768	powershell.exe
Token: 34	4768	powershell.exe
Token: 35	4768	powershell.exe
Token: 36	4768	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeIncreaseQuotaPrivilege	4152	powershell.exe
Token: SeSecurityPrivilege	4152	powershell.exe
Token: SeTakeOwnershipPrivilege	4152	powershell.exe
Token: SeLoadDriverPrivilege	4152	powershell.exe
Token: SeSystemProfilePrivilege	4152	powershell.exe
Token: SeSystemtimePrivilege	4152	powershell.exe
Token: SeProfSingleProcessPrivilege	4152	powershell.exe
Token: SeIncBasePriorityPrivilege	4152	powershell.exe
Token: SeCreatePagefilePrivilege	4152	powershell.exe
Token: SeBackupPrivilege	4152	powershell.exe
Token: SeRestorePrivilege	4152	powershell.exe
Token: SeShutdownPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeSystemEnvironmentPrivilege	4152	powershell.exe
Token: SeRemoteShutdownPrivilege	4152	powershell.exe
Token: SeUndockPrivilege	4152	powershell.exe
Token: SeManageVolumePrivilege	4152	powershell.exe
Token: 33	4152	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2628	sysinfo-app.exe
3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3096	3596	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	87
PID 3596 wrote to memory of 3096	3596	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	87
PID 3096 wrote to memory of 2220	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	91
PID 3096 wrote to memory of 2220	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	91
PID 3096 wrote to memory of 4768	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	94
PID 3096 wrote to memory of 4768	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	94
PID 3096 wrote to memory of 4152	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	97
PID 3096 wrote to memory of 4152	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	97
PID 3096 wrote to memory of 892	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	99
PID 3096 wrote to memory of 892	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	99
PID 892 wrote to memory of 2628	892	cmd.exe	101
PID 892 wrote to memory of 2628	892	cmd.exe	101
PID 3096 wrote to memory of 3232	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	108
PID 3096 wrote to memory of 3232	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	108
PID 3096 wrote to memory of 1140	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	110
PID 3096 wrote to memory of 1140	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	110
PID 3096 wrote to memory of 3212	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	113
PID 3096 wrote to memory of 3212	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	113
PID 3096 wrote to memory of 1200	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	116
PID 3096 wrote to memory of 1200	3096	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	116

C:\Users\Admin\AppData\Local\Temp\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
"C:\Users\Admin\AppData\Local\Temp\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
  "C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe" /app "C:\Users\Admin\AppData\Local\MobiGame\\"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\utils\sysinfo-app.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\utils\sysinfo-app.exe
      C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\utils\sysinfo-app.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_OptionalFeature | Where-Object {('HypervisorPlatform','VirtualMachinePlatform','Microsoft-Hyper-V-All','Microsoft-Hyper-V-Hypervisor','Microsoft-Hyper-V-Services') -like $_.Name}).InstallState
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3bfc414667e1ebc31e9259fa1db290fa

SHA1
9bff989429779efef334e5524a362e7b6ff266cb

SHA256
b58f994c644f7b4a831e889630bfd7ca0860aeb1e0920dc0f5d4928585a9dbab

SHA512
e6cb000e8f900132f7dc661f943b8e91e945d171157ff3289b91e9d79f70230e363ed65b7ec97f451b376cf4706a14de9a86193e72dcea8fe3aa8c86c6117d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4c8e06feef9244798d4ad71ab158f08

SHA1
4e90c4f42c3be29046dbf8a49c0ea4a8380568e0

SHA256
0268b5ba878364d9a3dc79a04281ed285ee1e39f0b8f3157b621321c8e059a5c

SHA512
c81ba44473bd513ee416f977ce1aaaddbac6a994f45d5e5ca0c72f6eb9cf3eebe27cefc841e5c7082a83e1b6eac970f0b079167262c6725492dedd824fd1bdba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
740951544b69d9a5a00aa693bf1e2d73

SHA1
c46fdae6979a08b5e9db05046686f0d1edf38caa

SHA256
dd63d617a9607de67ecf702ea93f02e805d11eafbd2c6e9f705c620b1e685a22

SHA512
e5fbfb1346aa56c358b6970e0caddb424ef416daba7ed3a2014dc18dabd2d0d5ec42f4a10518ca1453e7dc4da1893ee23b0cd18d4e91887637ce5ae9577db398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d576edc3ba971ac7fd8898dfac4c22ea

SHA1
7e14adf3e579216711951a51414ac8a36efc46c4

SHA256
e7f68c798d5a3992b404a3b800df98b23ceb63054dbd3d049d48bb9c29400d06

SHA512
af314bf572c62d2bb7f0041d4adba8697903359384a25d6b08e01aee6bd63e9abb331ee9655471c6966ac621ba377b2c59274b5d6fcbbd7fcdc7487c77e86c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7278fa708769a543014267e4613f927c

SHA1
d18017fe0dcb3ef814e69cc1ce20857ee25dd3b7

SHA256
4617aca60de6e4127de1fdca73f36a60703822c2ea38a9f521377d4f49394edd

SHA512
147ca121aa72f2a11f3ae22667ee433ac095be3e7d0ad71aa9a1f5fee1838e361f359b58854908a9d942de7162f7c136d51f6a5c9b6b9a1bdd94586ffe921cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d05bdfd12940c9efc148e1cf0d2fbaff

SHA1
0efaed9a1e9d955af4f2541c0544f99a968ebe3c

SHA256
eee612a38acdc3ce219ca92aad5bc1244679e12f73856d1ab5727c4c190d2d79

SHA512
c3b037729fd9908b497fdf0d5df874f64cc30af553c6ee34dbe300e91fe266a1bd3a93154acc8a2e0235a06a9c384f5ba9c57d2547e6f442b8edd2c5986133ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f0f0bdcbe702bed64996636fcef4e78

SHA1
70309052c181844e964217d8ef515332c151415d

SHA256
b5b90094dac3d1015520ddc25136f5ceeb672c479eabd09799f12af543803e91

SHA512
3c41b164bf66d4c17c433a51a9b789b11a98fb0549e72b5c9fe75bb97797af866ce4e042499e1cb14a6a9c91274eb4f911e0e9e6cf6d1fcf80dd9b3790da289d

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\hwid.dat

Filesize
32B

MD5
53340b12b60a643b5bb3ebb45380d19a

SHA1
e1dcb43a99147a7fe40c3f9d9242565847e2a624

SHA256
fc44f3b9090cad7422eb7f9414c48031bcd60d1ac80188c132bbbf1e6bda6982

SHA512
6de6078d14416fe7c8077b666e3ce6222b04411d6ed355388b53848e80beb06cf3a3862fdddc88db5f021b793c089ae0de5b18e506c23dfff83625e78d17e754

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\installid.dat

Filesize
32B

MD5
b1cea4c95555105864d0a971e1f2bde2

SHA1
021e963d0592f839b66972bf34a3603a5074cc94

SHA256
3e9cee799a127c102f2d57cad28f972b030513c313e7c5dd32323e90b4e51870

SHA512
888adbb4c829a773bfe904034b13138cbe0ce6c2aeb47132a713a38216182d3561e799b211dbfaaf13f01ccd0b3c66f8b50a81c3641725b6e6b254486ec87a25

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\logs\downloader.log

Filesize
4KB

MD5
e48af10550e6ed7aaeb8ab39a8070be7

SHA1
04d1ab90071ab8d8d803268dadf3183c5b5dfb02

SHA256
f2446422a797ea5d195937ba3d39db19c60b37bb2528c90ac320a52b1a4c0a71

SHA512
2a6cd4808f0aefae2c911ff8c7e23594e79652d2c9248380574e296144e8b26b4e8ac1abc8ef54f55f25c8c67d5c4f53ac7fdf98f45e7f423c01379b0a0edad2

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\logs\downloader.log

Filesize
2KB

MD5
99c70a137d3c913faafd0e1415e2eee1

SHA1
376b3ff8f0e26a23d58eda33e8a5222aa9f66897

SHA256
d7e17a5c9aac38b1e2ef56bc9ef5e9326a294acd0e0df78c3e7fce6e5d0497b1

SHA512
f0360d191efae33890842180a791d37406c346064c967f70a01b0a872f17078ac5ec1c116e398bd625374496ea651636f3eff76c33e78ba1c76fe85fff3c9604

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bdk0hpso.0ox.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Filesize
1.0MB

MD5
8afdf50f0097e7fc7254c83b2b2bf097

SHA1
771f30d91517ce306e93b548f31bd595139255a8

SHA256
1c96bab3b22b9e52736982b58ff5d75eb22293aa184024ad29c4f722bf1420f3

SHA512
51e70ae50cc46be7670ce73c559ffa11f6cc324a0256b44f394c789b5e7fd78089b934f7a91b06d5ceba55caede217a87296bbdb0ba17e48e59dad8ca33a5e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe.config

Filesize
3KB

MD5
6517457e21bed85a6e41e8b84942c8dc

SHA1
45451a32d6246265c94660030642137ff0ac4629

SHA256
3148b743bb5599ee95ff171d8ed7f66c48979d5993a328f9e9291c1443e0fd28

SHA512
e694240d22e240f3b4ba78a2d0e38b353ce1f5ea348d46e688cb60166cdd91083b5069d1cbc79f94cfbf322edbdeee3511eb9360c2a08c3002d1ca28175451a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\Microsoft.Deployment.WindowsInstaller.dll

Filesize
182KB

MD5
82eb1ccf28f3af897c2db27282b41156

SHA1
9f945d8b18ff0fbb5f013efe5e2ff33aef136104

SHA256
ced6cab3c04c08ce5705af0b6986965dbdbfda17cbd66c973bb371ed3b95f37a

SHA512
9458fabeae4dabf8109b9736496a01d9168312faec1c17d6eed89e8f09cbb8287d74ff758948cf07838720c11005e87a734e920be4ead275354f46a0a6176f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\MobiHelper.exe

Filesize
590KB

MD5
751672b3dc8e48b7632544b57e01a069

SHA1
a497158550201b67a8340756529c8909f13ddb5a

SHA256
acff977962ee68c47b786c28186b43b093ef41ec6ed617ee019f1227e17d8799

SHA512
96e0d9a1f15c55ab69b37ec095dda802a008c37c14a51bce6b5e04ca60d83e09bf9d69be604d0fd5f407471c959fafec0d8477856570fc8862a606a237baa97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\MobiHelper.exe.config

Filesize
1KB

MD5
4c77703bc70d087c272b1b4f8db55c4c

SHA1
3bbf0cc26c0b888aedefbfb077ca1e270d3c45c3

SHA256
dfddd98c2f704875c1b40cd1c81005faf10a442135c2c84b9ebef51f935d4b06

SHA512
bb0052a2c5904e503429017c506f03122c2f4b83d0609c1d40a153848d392303c1ec441338fcb18977e6f310f634abe0bd3ecbee03cd7e468795dd2cb75f8dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\Newtonsoft.Json.dll

Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\ResumeService.exe

Filesize
522KB

MD5
d293db543d714d4b6a959911f04982cc

SHA1
69c6d24cebec0d0f82b2006d9f9f9c3add831263

SHA256
dd31c28d11f79d4dd84c531b68fe52aa8f1076ef585bcf438d8976f8d3baf14d

SHA512
8abcf620c879092fcdc77b16877a9d7b50d9dd7b0e7a89187150bf03c1a7e05021cd30e30315d881ed5e819cb0d85050fdf294fa41bb8006c7cfe582fb68dc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\ResumeService.exe.config

Filesize
3KB

MD5
c0ecf23c7cf4e09c426ff35e83eb34b8

SHA1
6e42205b40fa610e3d3376cc21997745f448ced7

SHA256
61bcc5c65812305576bd37eb7237ac29f04f14cef3ab9b9e7e8f940d5522b393

SHA512
ce8ee53483211cc488df90f396fa33877866cdc862b343625c736cf676be37e95021e465d277aff503f01eee8e5883175ab6a74ba2317285e843f87285f9995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\ServiceStack.Client.dll

Filesize
241KB

MD5
e7eeaacea4bb7ca8625dbc72f9c05177

SHA1
6e540e594d4e7fe1c55f2f9e406d3c0f6d02af9d

SHA256
67f5c0fedec2ca57fc1b3118bd772b987c01b573584c08c4264fc8030f0944f3

SHA512
9b45ab2f9b865da7775405eb05b805073f37590573c50b70644c6e694f2e6effa5c9b0cb15ce30b184f8afa71a382bc4bb9096599ccce8b68e130131da502c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\ServiceStack.Interfaces.dll

Filesize
169KB

MD5
bbaa88e5567a6b9c134f28262c54ca65

SHA1
5d59256abbc0226d4966cfa7f96511453736bb63

SHA256
2e2cf708db9d86b04c62a6273aa326225181fb739f6b950fbe2e1bd4905ecd0b

SHA512
eb714c554123a9405f1beb952e82f79b684995a4f567f3fb9bf934f51496eea0d325c791fddafc2105922ca51f93132db85ee8b555880ac04e0e039636c58779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\ServiceStack.Text.dll

Filesize
540KB

MD5
01e10fdd82dff5e70eff077adc2a4528

SHA1
5bc845e65e732c4bbc246174eb18874140d26772

SHA256
57f75c075376c8977860c3bcb8d7d693289450a08b569159bf7ed1dc1824e1f1

SHA512
fe0f0e8c14d6a8318a1a4320e427375b309e2ab5f05286ecca7d7ce1c3047c75054cce2153233c07bf7a921d43fea3fc5093af928bb7b555de46dfa2adb55366

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\System.Memory.dll

Filesize
140KB

MD5
2bc5de386a4297144781d15b8e812b63

SHA1
ae6b19d49b413f1549b3540a9fbba00c1e8b3d27

SHA256
9c266080fb5f31e02a5005b91657093bd8c1faed23102e021a8be283c1753461

SHA512
e4d43c871af5c03392d2fb139fdf10c2f2da2f1d6fe0edd089e3e30369d6d350727b483c98868626f81d680400b44ee4d328e475b0017bfdeb38cdb44a8b4d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\System.Runtime.CompilerServices.Unsafe.dll

Filesize
23KB

MD5
a5aa80f49ad64689085755ab1ebf086e

SHA1
27e88cf0d2b34ea91efaa5cef9a763ee2722c824

SHA256
a79e1c30e9308afe4d680f0bfb82de3e8c1fe94aeca453ec4092c3ed4789ae6b

SHA512
f3dbd77e3a2ec3915b34d1387388abad45c99459ce03c06dc9a83d04f751b837c7b56cf9b4b7630f7fcd897a1d8057fce4cf761b1dc140a3928431b22b9b5b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\WixSharp.Msi.dll

Filesize
31KB

MD5
346d813cb3b38030edbe2342b21ecb0d

SHA1
578cc0f818bb3c414e5b806fe628a100f2eed63c

SHA256
4a807bec1041e2a900688f17d338a06b952a1a8e76b61f681454302753ab79ee

SHA512
72d6117ba66f1939fcb1f1bd89fe3a7cc5d93ae67ba7ed9927746a388eec4885986915372d5ff92176615f6e73e9ddcdff5e8feb30d2b0c17f8aaaab1e4f744a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\log4net-loggly.dll

Filesize
20KB

MD5
647ef1d7ccf030a09f17a54c5f40bbed

SHA1
08a71074606354e53a5c25aa9b084dfe9bef551f

SHA256
dc7ba0dcf33d3599c6d471cedb604e141d24a9aff9964225b8de1dfbb8a285db

SHA512
16d7dfc6033114c247c252f5463ab874418b609811ef31dd82365482487c6a8dcb2260f9b288fa883d3ba70c8b8836bb9e38d5bc24303db71fdcac8778b769fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\log4net.dll

Filesize
280KB

MD5
7c11f28d40f846515c132c5e358913bb

SHA1
fe7d3cd47352835016ffe5be86185165c4a09f69

SHA256
8cdae744cb81a397c61f9311e1bd089206783b8b173d6e8216005b84662fda1e

SHA512
12acfc71df4e7d24fe0ac9de97d21dcd651480fd0c9e46035cd3a2f3fe1ee6833fc9679cda0b07ffa33bb6ff0a97b6d28f3fa161747990b18cea73c22bf124c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_D701327B\utils\sysinfo-app.exe

Filesize
234KB

MD5
2b30334153d41d8c762207309be73d92

SHA1
a54f5fa79252b1b9968f6e1a44fde7f007a12548

SHA256
9b4eee17b496a35e88b5f1631ba21c2bee262b3c6da0024c18e3d1b7996b3484

SHA512
cc9972e8f8952bef7364b00d269848a918c47bd4fb66cb0fbc97ea7c74dab467ca7fa694c79a3d07cff45869fe9bd6643a3291b4fd83c53c544320470ab78aeb

Download Submit
memory/2220-66-0x0000015CB4AE0000-0x0000015CB4B02000-memory.dmp

Filesize
136KB

Download
memory/2220-76-0x0000015CB4E40000-0x0000015CB4E6A000-memory.dmp

Filesize
168KB

Download
memory/2220-77-0x0000015CB4E40000-0x0000015CB4E64000-memory.dmp

Filesize
144KB

Download
memory/3096-59-0x0000018B80010000-0x0000018B8008A000-memory.dmp

Filesize
488KB

Download
memory/3096-56-0x0000018B7E660000-0x0000018B7E66C000-memory.dmp

Filesize
48KB

Download
memory/3096-211-0x0000018B7E680000-0x0000018B7E688000-memory.dmp

Filesize
32KB

Download
memory/3096-212-0x0000018B7E690000-0x0000018B7E698000-memory.dmp

Filesize
32KB

Download
memory/3096-213-0x0000018B7E6F0000-0x0000018B7E6F8000-memory.dmp

Filesize
32KB

Download
memory/3096-214-0x0000018B7E700000-0x0000018B7E708000-memory.dmp

Filesize
32KB

Download
memory/3096-209-0x0000018B7E670000-0x0000018B7E67A000-memory.dmp

Filesize
40KB

Download
memory/3096-148-0x0000018B7FF20000-0x0000018B7FF46000-memory.dmp

Filesize
152KB

Download
memory/3096-143-0x0000018B80090000-0x0000018B800D2000-memory.dmp

Filesize
264KB

Download
memory/3096-145-0x0000018B7FEF0000-0x0000018B7FF20000-memory.dmp

Filesize
192KB

Download
memory/3096-54-0x00007FFCED5F0000-0x00007FFCEE0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3096-53-0x0000018B7FF80000-0x0000018B8000E000-memory.dmp

Filesize
568KB

Download
memory/3096-51-0x0000018B7E6A0000-0x0000018B7E6EA000-memory.dmp

Filesize
296KB

Download
memory/3096-323-0x0000018B80130000-0x0000018B8017A000-memory.dmp

Filesize
296KB

Download
memory/3096-49-0x0000018B7E1B0000-0x0000018B7E2B6000-memory.dmp

Filesize
1.0MB

Download
memory/3096-48-0x00007FFCED5F3000-0x00007FFCED5F5000-memory.dmp

Filesize
8KB

Download
memory/3096-372-0x00007FFCED5F3000-0x00007FFCED5F5000-memory.dmp

Filesize
8KB

Download
memory/3096-373-0x00007FFCED5F0000-0x00007FFCEE0B1000-memory.dmp

Filesize
10.8MB

Download