16f7d9d609c24c5af75c0141059d49008eb9b1f016d198e224bdb486668cc7b5

Resubmissions

11/08/2024, 00:23

240811-apyleszfnh 8

11/08/2024, 00:12

240811-ahh76azdjb 7

Analysis

max time kernel
330s
max time network
331s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Size

3.3MB
MD5

e23d97827ea3c90cd85f2d11402e8940
SHA1

67c01979b3516f9c3082cc05367142a74e413be8
SHA256

16f7d9d609c24c5af75c0141059d49008eb9b1f016d198e224bdb486668cc7b5
SHA512

e9dfd9ebf77aa615b17c05f99a5efed0c5dc993b7ca59800aa7ffa45d0d7fe4e207d0e4386c4fd9b11ceb49b5a4d28b4014ab9d6327ed86a8321cd9f3e90f646
SSDEEP

98304:EyasyD6Lvd557Vh2EKTlpFGuKIKRv6owpuC:XyOT57V7jFiowgC

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
67	1648	msiexec.exe
69	2972	rundll32.exe
70	2972	rundll32.exe

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2\Blob = 030000000100000014000000e74b8bc01bc843c34d710e29de0411564badc2f22000000001000000900500003082058c30820474a00302010202100d7b87bf9200d82906f619b5ee6c603f300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3137303731343030303030305a170d3138303731383132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100adccd719ce3b4f84d425e2b3dbbf3273f8367a02e55980fb8b12d0ec202c5bbc0d40ed46059f647e65139a82317acf7f6c441043d6143f8e23097502d3c6ea25255b91fd27949261f4eac63539b1435624791be516dbf3e5d5803fd396a07c238e7c3a7e7be480b8f1e36a08d4fb7ff1ef640c7a6f00904dd3fb5f96ef5f4e7e47baeeed47bdf254fee13bf4a4e72ce5eb7451ae0cf675ad9d19dfed29621f3cc64b3bcdd7dca22b601c39ea6039603128748b1ab4acd40d3d4f53a41a862687424a55e2a56ede2909a81b695cdc2f6e16dc54864eab896765a75d10c0d156156029c91ac22daa455c8d1b853d4a330fce0de6c83b9ad632646509889134d6930203010001a38201e8308201e4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149709754f51dc8fa3bf2e4540e443dc015d8816ca30250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101002f9a80a913a1d71b909c639c165ca1603d5ce7fdac7b50a4eb5d18d334d2f9d35cda3aea2e9239994a6910e122d312ad9211aebc525b54d6b480bdc1c969ff237aae64718cc06ddc194bfd735794d9d889019c1903ef81fbb1eb993aae57ef2dd9665b8a4e8265e15da21281a6526dee2c183e84c696f40a9072df9bfe5c878f3fbbc6826c780a136b05d4f97aa21c671e0a0b58f36be031a532979fbb57879b7772c50cb394ce0ea1e6688936168621ce55f9c83a7589a501d67cdd75616748aa6524f0c0867971b56b73f1e5beb3f6e4341dc6d7f4acac6f0438317b0e6d3c35116f7d9c3a2d401ff79579d791621a3500525bf068199d2ecb0c77040a9d28	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2\Blob = 030000000100000014000000e74b8bc01bc843c34d710e29de0411564badc2f22000000001000000900500003082058c30820474a00302010202100d7b87bf9200d82906f619b5ee6c603f300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3137303731343030303030305a170d3138303731383132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100adccd719ce3b4f84d425e2b3dbbf3273f8367a02e55980fb8b12d0ec202c5bbc0d40ed46059f647e65139a82317acf7f6c441043d6143f8e23097502d3c6ea25255b91fd27949261f4eac63539b1435624791be516dbf3e5d5803fd396a07c238e7c3a7e7be480b8f1e36a08d4fb7ff1ef640c7a6f00904dd3fb5f96ef5f4e7e47baeeed47bdf254fee13bf4a4e72ce5eb7451ae0cf675ad9d19dfed29621f3cc64b3bcdd7dca22b601c39ea6039603128748b1ab4acd40d3d4f53a41a862687424a55e2a56ede2909a81b695cdc2f6e16dc54864eab896765a75d10c0d156156029c91ac22daa455c8d1b853d4a330fce0de6c83b9ad632646509889134d6930203010001a38201e8308201e4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149709754f51dc8fa3bf2e4540e443dc015d8816ca30250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101002f9a80a913a1d71b909c639c165ca1603d5ce7fdac7b50a4eb5d18d334d2f9d35cda3aea2e9239994a6910e122d312ad9211aebc525b54d6b480bdc1c969ff237aae64718cc06ddc194bfd735794d9d889019c1903ef81fbb1eb993aae57ef2dd9665b8a4e8265e15da21281a6526dee2c183e84c696f40a9072df9bfe5c878f3fbbc6826c780a136b05d4f97aa21c671e0a0b58f36be031a532979fbb57879b7772c50cb394ce0ea1e6688936168621ce55f9c83a7589a501d67cdd75616748aa6524f0c0867971b56b73f1e5beb3f6e4341dc6d7f4acac6f0438317b0e6d3c35116f7d9c3a2d401ff79579d791621a3500525bf068199d2ecb0c77040a9d28	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E\Blob = 0300000001000000140000004d56e7ac803733aeb63f6b8217f4be35dfe6c42e20000000010000007c0500003082057830820460a0030201020210019549f3e9c1fd841c29b1f2c2bdd013300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b446967694365727420455620436f6465205369676e696e67204341301e170d3138303230313030303030305a170d3139303132343132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a69529c8ded2a23c241b5d3223350310da8bc4c1e27e4f38de191a07c5c3e54105693aa3ecda48b1a6be745a22f6d2617e99ee326e2ee0aff2d2fb01d02a3c2aa03b0a9048d0ada52e6bce2dff81d755729ac88e1818c2665fd9007e9036b0b44a29cbfe4717c0fbbf4370768fe22f37c8be5367db93801592886db3031f7e6a67a36187480957700863fd585152c1b47c4ee0a425533fb659f96b3c826e2a3b43d83e182d06d1eaded7f282b4b375b66ec18ad6e2c2612075644ae549112d938f62647c8904720c810976bf982fb27d0b32674f36945d4515f357616429bfba6975b141c22b59ab705d063aecd315a67fd29ddef8ee550acee03e4ab3b256ff0203010001a38201db308201d7301f0603551d23041830168014ad690670fc801b16b3a918946b9402865ef7278c301d0603551d0e04160414ecafaebf1f8d1389e1c8a95226a9938391dcf69130250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100a8590e5af448e75c68937d3c422d3edf1fe3e34f7cb11190a01bfd96c8c1b9c35a473e310ea84296fba0025a747f6247a3d87f2fdbf4a605897c4664567428eb2587b24cbcbb98e73f297bb94470e9d9332d490c5991be31835da48d9d0ff75d15107a81e1779acfc716f41d502c75527e0f2014e8af38de3f051fe2dc0e0dc0582d0f85c87d489e5608fa62044ea83503931b7016675d90f1f56e161d2ec066cd3147239c120eea6b1386f254a4d83d83f4d907652a1e9b3d36d88d21b9af7e5db8bf412e333b503d23b23144b0b0c219435182674e9d503984f820d374707031daed98ed8c44b9d540ab8cd94cab9991d72c5e6518db258236dc44eacb5305	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E\Blob = 0300000001000000140000004d56e7ac803733aeb63f6b8217f4be35dfe6c42e20000000010000007c0500003082057830820460a0030201020210019549f3e9c1fd841c29b1f2c2bdd013300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b446967694365727420455620436f6465205369676e696e67204341301e170d3138303230313030303030305a170d3139303132343132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a69529c8ded2a23c241b5d3223350310da8bc4c1e27e4f38de191a07c5c3e54105693aa3ecda48b1a6be745a22f6d2617e99ee326e2ee0aff2d2fb01d02a3c2aa03b0a9048d0ada52e6bce2dff81d755729ac88e1818c2665fd9007e9036b0b44a29cbfe4717c0fbbf4370768fe22f37c8be5367db93801592886db3031f7e6a67a36187480957700863fd585152c1b47c4ee0a425533fb659f96b3c826e2a3b43d83e182d06d1eaded7f282b4b375b66ec18ad6e2c2612075644ae549112d938f62647c8904720c810976bf982fb27d0b32674f36945d4515f357616429bfba6975b141c22b59ab705d063aecd315a67fd29ddef8ee550acee03e4ab3b256ff0203010001a38201db308201d7301f0603551d23041830168014ad690670fc801b16b3a918946b9402865ef7278c301d0603551d0e04160414ecafaebf1f8d1389e1c8a95226a9938391dcf69130250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100a8590e5af448e75c68937d3c422d3edf1fe3e34f7cb11190a01bfd96c8c1b9c35a473e310ea84296fba0025a747f6247a3d87f2fdbf4a605897c4664567428eb2587b24cbcbb98e73f297bb94470e9d9332d490c5991be31835da48d9d0ff75d15107a81e1779acfc716f41d502c75527e0f2014e8af38de3f051fe2dc0e0dc0582d0f85c87d489e5608fa62044ea83503931b7016675d90f1f56e161d2ec066cd3147239c120eea6b1386f254a4d83d83f4d907652a1e9b3d36d88d21b9af7e5db8bf412e333b503d23b23144b0b0c219435182674e9d503984f820d374707031daed98ed8c44b9d540ab8cd94cab9991d72c5e6518db258236dc44eacb5305	rundll32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
1476	sysinfo-app.exe
1876	MobiHelper.exe
2324	subinacl.exe
2972	aeg_launcher.exe
2980	subinacl.exe
2796	MobiVBoxSVC.exe
2544	SUPInstall.exe
2484	MobiVBoxSVC.exe
1636	NetLwfUninstall.exe
1964	USBUninstall.exe
2736	SUPUninstall.exe

Loads dropped DLL 64 IoCs

pid	Process
1876	cmd.exe
744	MsiExec.exe
2964	rundll32.exe
744	MsiExec.exe
2392	rundll32.exe
744	MsiExec.exe
976	rundll32.exe
744	MsiExec.exe
2204	MsiExec.exe
2204	MsiExec.exe
744	MsiExec.exe
2064	MsiExec.exe
1620	rundll32.exe
2064	MsiExec.exe
1684	rundll32.exe
2064	MsiExec.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
2064	MsiExec.exe
1996	rundll32.exe
2064	MsiExec.exe
2980	rundll32.exe
2064	MsiExec.exe
912	rundll32.exe
1252	Process not Found
2064	MsiExec.exe
2308	rundll32.exe
2064	MsiExec.exe
2744	rundll32.exe
2064	MsiExec.exe
568	rundll32.exe
568	rundll32.exe
568	rundll32.exe
2064	MsiExec.exe
1844	rundll32.exe
2216	MsiExec.exe
2064	MsiExec.exe
2224	rundll32.exe
2064	MsiExec.exe
2064	MsiExec.exe
3040	rundll32.exe
2968	regsvr32.exe
2968	regsvr32.exe
2968	regsvr32.exe
2968	regsvr32.exe
2932	regsvr32.exe
2932	regsvr32.exe
2932	regsvr32.exe
2932	regsvr32.exe
2360	cmd.exe
2360	cmd.exe
2796	MobiVBoxSVC.exe
2796	MobiVBoxSVC.exe
2796	MobiVBoxSVC.exe
2796	MobiVBoxSVC.exe
2904	regsvr32.exe
2904	regsvr32.exe
2904	regsvr32.exe
2904	regsvr32.exe
2648	regsvr32.exe
2648	regsvr32.exe
2648	regsvr32.exe
2648	regsvr32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\Q:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\S:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\U:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\Y:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\V:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\E:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\R:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\X:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\Z:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\G:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\I:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\J:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\K:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\L:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\O:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\P:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\T:	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\MobiGame\playstore\chromely.ico	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\dist\static\media\fa-brands-400.70150a2b3a50f84aff70.ttf	msiexec.exe
File created	C:\Program Files\MobiGame\player\iconengines\qsvgicon.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\snapshot_blob.bin	msiexec.exe
File created	C:\Program Files\MobiGame\player\VBoxNetFltM.inf	msiexec.exe
File created	C:\Program Files\MobiGame\player\MobiVBoxDDR0.sys	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\locales\fa.pak	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Runtime.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\VBoxInstallHelper.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Text.Encoding.CodePages.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Xml.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files\MobiGame\ServiceStack.Text.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Collections.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Linq.Expressions.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Web.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\api-ms-win-core-console-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\createdump.exe	msiexec.exe
File created	C:\Program Files\MobiGame\MobiGameUpdater.exe.config	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\Playstore.Services.pdb	msiexec.exe
File created	C:\Program Files\MobiGame\player\imageformats\qgif.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\VBoxNetNAT.exe	msiexec.exe
File created	C:\Program Files\MobiGame\player\VBoxUSBMon.cat	msiexec.exe
File created	C:\Program Files\MobiGame\player\DbgPlugInDiggers.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\dist\static\media\fa-brands-400.dd7467859e54d3b9dae6.woff2	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\Microsoft.Extensions.DependencyInjection.Abstractions.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\NetCoreEx.Geometry.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\styles\qwindowsvistastyle.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Linq.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\WindowsBase.dll	msiexec.exe
File created	C:\Program Files\MobiGame\hpfalmf2.newcfg	rundll32.exe
File created	C:\Program Files\MobiGame\player\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Formats.Asn1.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\locales\te.pak	msiexec.exe
File created	C:\Program Files\MobiGame\player\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\certificate\mytestcert.cer	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\Playstore.pdb	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Web.HttpUtility.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\Microsoft.Extensions.FileProviders.Abstractions.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\MobiVBoxDDR0.r0	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\ServiceStack.Interfaces.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.ComponentModel.Primitives.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Runtime.Handles.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\concrt140.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\mobiplayer.exe	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.IO.Compression.ZipFile.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files\MobiGame\player\drivers\VBoxUSBMon\VBoxUSBMon.inf	msiexec.exe
File created	C:\Program Files\MobiGame\android\initrd.img	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\dbgshim.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\dist\static\css\main.b1aa466a.css	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\System.Private.Xml.Linq.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\vk_swiftshader_icd.json	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\dist\static\media\bg-gamepage.3ef18d0f641cbd8c22b3.jpg	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\Chromely.Core.pdb	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\dist\static\media\fa-brands-400.cac133c03011645ba509.woff	msiexec.exe
File created	C:\Program Files\MobiGame\playstore\dist\static\media\fa-regular-400.6810be1da91e3f344935.eot	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIAD36.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF34D.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF6F9.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFBDB.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFCC7.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI13.tmp	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	NetLwfUninstall.exe
File opened for modification	C:\Windows\Installer\MSIA3BD.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA61E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE307.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF543.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\f7b91b8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF34D.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF4A6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF543.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFBDB.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFCC7.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI13.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAE5F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBDB.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\{0CD5AE2D-BB58-4E35-8B5C-AFE9A9189E1A}\app_icon.ico	msiexec.exe
File created	C:\Windows\INF\oem1.PNF	NetLwfUninstall.exe
File opened for modification	C:\Windows\Installer\MSI1D64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF34D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA3BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA777.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF34D.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF4A6.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA0ED.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF6F9.tmp-\InstallUtil.InstallLog	InstallUtil.exe
File opened for modification	C:\Windows\Installer\MSIFCC7.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1D75.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1D75.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA3BD.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF3CB.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFBDB.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF34D.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA3BD.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAD36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF543.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA0ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1D75.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\f7b91b5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD36.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFCC7.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA3BD.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF6F9.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF9C7.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFCC7.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF3CB.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA1D8.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF6F9.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA1D8.tmp-\VirtualBoxSetup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA728.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE5F.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF4A6.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF543.tmp-\WixSharp.UI.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF6F9.tmp-\VirtualBoxSetup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF6F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA0ED.tmp-\VirtualBoxSetup.exe	rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1660	sc.exe
2124	sc.exe
3000	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Modifies data under HKEY_USERS 61 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2\Blob = 030000000100000014000000e74b8bc01bc843c34d710e29de0411564badc2f22000000001000000900500003082058c30820474a00302010202100d7b87bf9200d82906f619b5ee6c603f300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3137303731343030303030305a170d3138303731383132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100adccd719ce3b4f84d425e2b3dbbf3273f8367a02e55980fb8b12d0ec202c5bbc0d40ed46059f647e65139a82317acf7f6c441043d6143f8e23097502d3c6ea25255b91fd27949261f4eac63539b1435624791be516dbf3e5d5803fd396a07c238e7c3a7e7be480b8f1e36a08d4fb7ff1ef640c7a6f00904dd3fb5f96ef5f4e7e47baeeed47bdf254fee13bf4a4e72ce5eb7451ae0cf675ad9d19dfed29621f3cc64b3bcdd7dca22b601c39ea6039603128748b1ab4acd40d3d4f53a41a862687424a55e2a56ede2909a81b695cdc2f6e16dc54864eab896765a75d10c0d156156029c91ac22daa455c8d1b853d4a330fce0de6c83b9ad632646509889134d6930203010001a38201e8308201e4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149709754f51dc8fa3bf2e4540e443dc015d8816ca30250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101002f9a80a913a1d71b909c639c165ca1603d5ce7fdac7b50a4eb5d18d334d2f9d35cda3aea2e9239994a6910e122d312ad9211aebc525b54d6b480bdc1c969ff237aae64718cc06ddc194bfd735794d9d889019c1903ef81fbb1eb993aae57ef2dd9665b8a4e8265e15da21281a6526dee2c183e84c696f40a9072df9bfe5c878f3fbbc6826c780a136b05d4f97aa21c671e0a0b58f36be031a532979fbb57879b7772c50cb394ce0ea1e6688936168621ce55f9c83a7589a501d67cdd75616748aa6524f0c0867971b56b73f1e5beb3f6e4341dc6d7f4acac6f0438317b0e6d3c35116f7d9c3a2d401ff79579d791621a3500525bf068199d2ecb0c77040a9d28	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	InstallUtil.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	InstallUtil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E\Blob = 0300000001000000140000004d56e7ac803733aeb63f6b8217f4be35dfe6c42e20000000010000007c0500003082057830820460a0030201020210019549f3e9c1fd841c29b1f2c2bdd013300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b446967694365727420455620436f6465205369676e696e67204341301e170d3138303230313030303030305a170d3139303132343132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a69529c8ded2a23c241b5d3223350310da8bc4c1e27e4f38de191a07c5c3e54105693aa3ecda48b1a6be745a22f6d2617e99ee326e2ee0aff2d2fb01d02a3c2aa03b0a9048d0ada52e6bce2dff81d755729ac88e1818c2665fd9007e9036b0b44a29cbfe4717c0fbbf4370768fe22f37c8be5367db93801592886db3031f7e6a67a36187480957700863fd585152c1b47c4ee0a425533fb659f96b3c826e2a3b43d83e182d06d1eaded7f282b4b375b66ec18ad6e2c2612075644ae549112d938f62647c8904720c810976bf982fb27d0b32674f36945d4515f357616429bfba6975b141c22b59ab705d063aecd315a67fd29ddef8ee550acee03e4ab3b256ff0203010001a38201db308201d7301f0603551d23041830168014ad690670fc801b16b3a918946b9402865ef7278c301d0603551d0e04160414ecafaebf1f8d1389e1c8a95226a9938391dcf69130250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100a8590e5af448e75c68937d3c422d3edf1fe3e34f7cb11190a01bfd96c8c1b9c35a473e310ea84296fba0025a747f6247a3d87f2fdbf4a605897c4664567428eb2587b24cbcbb98e73f297bb94470e9d9332d490c5991be31835da48d9d0ff75d15107a81e1779acfc716f41d502c75527e0f2014e8af38de3f051fe2dc0e0dc0582d0f85c87d489e5608fa62044ea83503931b7016675d90f1f56e161d2ec066cd3147239c120eea6b1386f254a4d83d83f4d907652a1e9b3d36d88d21b9af7e5db8bf412e333b503d23b23144b0b0c219435182674e9d503984f820d374707031daed98ed8c44b9d540ab8cd94cab9991d72c5e6518db258236dc44eacb5305	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000009042027e85ebda01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	InstallUtil.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3FF3596-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5BCB534-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient.1\ = "VirtualBoxClient Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5A2AFB8-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CF9104-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1\CLSID	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4D0F3A6-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5BFE86C-F6C2-11E7-AEB4-080027376349}	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C56D9116-F6C2-11E7-AEB4-080027376349}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5599134-F6C2-11E7-AEB4-080027376349}\ = "IUSBController"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D8D076-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C59E6D04-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5B9A02E-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5E1BAB4-F6C2-11E7-AEB4-080027376349}	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C3C7B6-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C73536-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5C95500-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C4FDE8-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}"	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5DFA648-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5E161CC-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4D91CF2-F6C2-11E7-AEB4-080027376349}\TypeLib	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5C4A118-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3F3D0A2-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5BF22C4-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CCCB86-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5D5C880-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5D786C0-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5E0873E-F6C2-11E7-AEB4-080027376349}	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5BF22C4-F6C2-11E7-AEB4-080027376349}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5BD4C42-F6C2-11E7-AEB4-080027376349}\ = "IMousePointerShapeChangedEvent"	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5C9C79C-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5CE4AE2-F6C2-11E7-AEB4-080027376349}\ = "IGuestFileIOEvent"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient.1\CLSID\ = "{c5e220c6-f6c2-11e7-aeb4-080027376349}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5E04D78-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AE1BB0-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3ED31D4-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5C9C79C-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4DBDB18-F6C2-11E7-AEB4-080027376349}\ = "IGuestFsObjInfo"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C29828-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}"	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C51D5AC0-F6C2-11E7-AEB4-080027376349}	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C54846AE-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\ = "Session Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C585CBDC-F6C2-11E7-AEB4-080027376349}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5BAE132-F6C2-11E7-AEB4-080027376349}\TypeLib	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C1B6A6-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C59CDC78-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5B83126-F6C2-11E7-AEB4-080027376349}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4E451BC-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}"	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C46D71A0-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C459344C-F6C2-11E7-AEB4-080027376349}\TypeLib	MobiVBoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5B4268A-F6C2-11E7-AEB4-080027376349}\TypeLib	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3FE2822-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C402BA68-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5D2BFFA-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4D91CF2-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MobiVBoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5E0FE1C-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3"	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C521C2EA-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C488A272-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5DC7BBC-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	MobiVBoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C52E62A2-F6C2-11E7-AEB4-080027376349}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5D0CC36-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4E451BC-F6C2-11E7-AEB4-080027376349}\TypeLib	MobiVBoxSVC.exe

Modifies system certificate store 2 TTPs 22 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2\Blob = 030000000100000014000000e74b8bc01bc843c34d710e29de0411564badc2f22000000001000000900500003082058c30820474a00302010202100d7b87bf9200d82906f619b5ee6c603f300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3137303731343030303030305a170d3138303731383132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100adccd719ce3b4f84d425e2b3dbbf3273f8367a02e55980fb8b12d0ec202c5bbc0d40ed46059f647e65139a82317acf7f6c441043d6143f8e23097502d3c6ea25255b91fd27949261f4eac63539b1435624791be516dbf3e5d5803fd396a07c238e7c3a7e7be480b8f1e36a08d4fb7ff1ef640c7a6f00904dd3fb5f96ef5f4e7e47baeeed47bdf254fee13bf4a4e72ce5eb7451ae0cf675ad9d19dfed29621f3cc64b3bcdd7dca22b601c39ea6039603128748b1ab4acd40d3d4f53a41a862687424a55e2a56ede2909a81b695cdc2f6e16dc54864eab896765a75d10c0d156156029c91ac22daa455c8d1b853d4a330fce0de6c83b9ad632646509889134d6930203010001a38201e8308201e4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149709754f51dc8fa3bf2e4540e443dc015d8816ca30250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101002f9a80a913a1d71b909c639c165ca1603d5ce7fdac7b50a4eb5d18d334d2f9d35cda3aea2e9239994a6910e122d312ad9211aebc525b54d6b480bdc1c969ff237aae64718cc06ddc194bfd735794d9d889019c1903ef81fbb1eb993aae57ef2dd9665b8a4e8265e15da21281a6526dee2c183e84c696f40a9072df9bfe5c878f3fbbc6826c780a136b05d4f97aa21c671e0a0b58f36be031a532979fbb57879b7772c50cb394ce0ea1e6688936168621ce55f9c83a7589a501d67cdd75616748aa6524f0c0867971b56b73f1e5beb3f6e4341dc6d7f4acac6f0438317b0e6d3c35116f7d9c3a2d401ff79579d791621a3500525bf068199d2ecb0c77040a9d28	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E\Blob = 0300000001000000140000004d56e7ac803733aeb63f6b8217f4be35dfe6c42e20000000010000007c0500003082057830820460a0030201020210019549f3e9c1fd841c29b1f2c2bdd013300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b446967694365727420455620436f6465205369676e696e67204341301e170d3138303230313030303030305a170d3139303132343132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a69529c8ded2a23c241b5d3223350310da8bc4c1e27e4f38de191a07c5c3e54105693aa3ecda48b1a6be745a22f6d2617e99ee326e2ee0aff2d2fb01d02a3c2aa03b0a9048d0ada52e6bce2dff81d755729ac88e1818c2665fd9007e9036b0b44a29cbfe4717c0fbbf4370768fe22f37c8be5367db93801592886db3031f7e6a67a36187480957700863fd585152c1b47c4ee0a425533fb659f96b3c826e2a3b43d83e182d06d1eaded7f282b4b375b66ec18ad6e2c2612075644ae549112d938f62647c8904720c810976bf982fb27d0b32674f36945d4515f357616429bfba6975b141c22b59ab705d063aecd315a67fd29ddef8ee550acee03e4ab3b256ff0203010001a38201db308201d7301f0603551d23041830168014ad690670fc801b16b3a918946b9402865ef7278c301d0603551d0e04160414ecafaebf1f8d1389e1c8a95226a9938391dcf69130250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100a8590e5af448e75c68937d3c422d3edf1fe3e34f7cb11190a01bfd96c8c1b9c35a473e310ea84296fba0025a747f6247a3d87f2fdbf4a605897c4664567428eb2587b24cbcbb98e73f297bb94470e9d9332d490c5991be31835da48d9d0ff75d15107a81e1779acfc716f41d502c75527e0f2014e8af38de3f051fe2dc0e0dc0582d0f85c87d489e5608fa62044ea83503931b7016675d90f1f56e161d2ec066cd3147239c120eea6b1386f254a4d83d83f4d907652a1e9b3d36d88d21b9af7e5db8bf412e333b503d23b23144b0b0c219435182674e9d503984f820d374707031daed98ed8c44b9d540ab8cd94cab9991d72c5e6518db258236dc44eacb5305	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs

pid	Process
2968	regsvr32.exe
2932	regsvr32.exe
2904	regsvr32.exe
2648	regsvr32.exe
1588	regsvr32.exe
1616	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
2420	powershell.exe
2392	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
1648	msiexec.exe
1648	msiexec.exe
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1876	MobiHelper.exe
Token: SeRestorePrivilege	1648	msiexec.exe
Token: SeTakeOwnershipPrivilege	1648	msiexec.exe
Token: SeSecurityPrivilege	1648	msiexec.exe
Token: SeCreateTokenPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeAssignPrimaryTokenPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeLockMemoryPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeIncreaseQuotaPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeMachineAccountPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeTcbPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSecurityPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeTakeOwnershipPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeLoadDriverPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSystemProfilePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSystemtimePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeProfSingleProcessPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeIncBasePriorityPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeCreatePagefilePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeCreatePermanentPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeBackupPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeRestorePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeShutdownPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeDebugPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeAuditPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSystemEnvironmentPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeChangeNotifyPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeRemoteShutdownPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeUndockPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSyncAgentPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeEnableDelegationPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeManageVolumePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeImpersonatePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeCreateGlobalPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeShutdownPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeIncreaseQuotaPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeCreateTokenPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeAssignPrimaryTokenPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeLockMemoryPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeIncreaseQuotaPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeMachineAccountPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeTcbPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSecurityPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeTakeOwnershipPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeLoadDriverPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSystemProfilePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSystemtimePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeProfSingleProcessPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeIncBasePriorityPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeCreatePagefilePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeCreatePermanentPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeBackupPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeRestorePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeShutdownPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeDebugPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeAuditPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSystemEnvironmentPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeChangeNotifyPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeRemoteShutdownPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeUndockPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeSyncAgentPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeEnableDelegationPrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
Token: SeManageVolumePrivilege	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1856	2668	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	30
PID 2668 wrote to memory of 1856	2668	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	30
PID 2668 wrote to memory of 1856	2668	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	30
PID 1856 wrote to memory of 1876	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	32
PID 1856 wrote to memory of 1876	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	32
PID 1856 wrote to memory of 1876	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	32
PID 1876 wrote to memory of 1476	1876	cmd.exe	34
PID 1876 wrote to memory of 1476	1876	cmd.exe	34
PID 1876 wrote to memory of 1476	1876	cmd.exe	34
PID 1856 wrote to memory of 2420	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	38
PID 1856 wrote to memory of 2420	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	38
PID 1856 wrote to memory of 2420	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	38
PID 1856 wrote to memory of 1876	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	40
PID 1856 wrote to memory of 1876	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	40
PID 1856 wrote to memory of 1876	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	40
PID 1876 wrote to memory of 2536	1876	MobiHelper.exe	42
PID 1876 wrote to memory of 2536	1876	MobiHelper.exe	42
PID 1876 wrote to memory of 2536	1876	MobiHelper.exe	42
PID 1856 wrote to memory of 1596	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	44
PID 1856 wrote to memory of 1596	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	44
PID 1856 wrote to memory of 1596	1856	Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe	44
PID 1648 wrote to memory of 744	1648	msiexec.exe	48
PID 1648 wrote to memory of 744	1648	msiexec.exe	48
PID 1648 wrote to memory of 744	1648	msiexec.exe	48
PID 1648 wrote to memory of 744	1648	msiexec.exe	48
PID 1648 wrote to memory of 744	1648	msiexec.exe	48
PID 744 wrote to memory of 2964	744	MsiExec.exe	49
PID 744 wrote to memory of 2964	744	MsiExec.exe	49
PID 744 wrote to memory of 2964	744	MsiExec.exe	49
PID 744 wrote to memory of 2392	744	MsiExec.exe	50
PID 744 wrote to memory of 2392	744	MsiExec.exe	50
PID 744 wrote to memory of 2392	744	MsiExec.exe	50
PID 2392 wrote to memory of 2220	2392	rundll32.exe	51
PID 2392 wrote to memory of 2220	2392	rundll32.exe	51
PID 2392 wrote to memory of 2220	2392	rundll32.exe	51
PID 744 wrote to memory of 976	744	MsiExec.exe	53
PID 744 wrote to memory of 976	744	MsiExec.exe	53
PID 744 wrote to memory of 976	744	MsiExec.exe	53
PID 1648 wrote to memory of 2204	1648	msiexec.exe	54
PID 1648 wrote to memory of 2204	1648	msiexec.exe	54
PID 1648 wrote to memory of 2204	1648	msiexec.exe	54
PID 1648 wrote to memory of 2204	1648	msiexec.exe	54
PID 1648 wrote to memory of 2204	1648	msiexec.exe	54
PID 1648 wrote to memory of 2204	1648	msiexec.exe	54
PID 1648 wrote to memory of 2204	1648	msiexec.exe	54
PID 1648 wrote to memory of 2064	1648	msiexec.exe	55
PID 1648 wrote to memory of 2064	1648	msiexec.exe	55
PID 1648 wrote to memory of 2064	1648	msiexec.exe	55
PID 1648 wrote to memory of 2064	1648	msiexec.exe	55
PID 1648 wrote to memory of 2064	1648	msiexec.exe	55
PID 2064 wrote to memory of 1620	2064	MsiExec.exe	56
PID 2064 wrote to memory of 1620	2064	MsiExec.exe	56
PID 2064 wrote to memory of 1620	2064	MsiExec.exe	56
PID 2064 wrote to memory of 1684	2064	MsiExec.exe	57
PID 2064 wrote to memory of 1684	2064	MsiExec.exe	57
PID 2064 wrote to memory of 1684	2064	MsiExec.exe	57
PID 2064 wrote to memory of 2972	2064	MsiExec.exe	58
PID 2064 wrote to memory of 2972	2064	MsiExec.exe	58
PID 2064 wrote to memory of 2972	2064	MsiExec.exe	58
PID 2064 wrote to memory of 1996	2064	MsiExec.exe	59
PID 2064 wrote to memory of 1996	2064	MsiExec.exe	59
PID 2064 wrote to memory of 1996	2064	MsiExec.exe	59
PID 2064 wrote to memory of 2980	2064	MsiExec.exe	60
PID 2064 wrote to memory of 2980	2064	MsiExec.exe	60

C:\Users\Admin\AppData\Local\Temp\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
"C:\Users\Admin\AppData\Local\Temp\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe
  "C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe" /app "C:\Users\Admin\AppData\Local\MobiGame\\"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\utils\sysinfo-app.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\utils\sysinfo-app.exe
      C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\utils\sysinfo-app.exe
      4⤵
      Executes dropped EXE
      PID:1476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" (Get-CimInstance Win32_OptionalFeature | Where-Object {('HypervisorPlatform','VirtualMachinePlatform','Microsoft-Hyper-V-All','Microsoft-Hyper-V-Hypervisor','Microsoft-Hyper-V-Services') -like $_.Name}).InstallState
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\MobiHelper.exe
    "MobiHelper.exe" --install-path="C:\Program Files\MobiGame" --desktop-path="C:\Users\Admin\Desktop" --local-app-data-path="C:\Users\Admin\AppData\Local\MobiGame" --parent="C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe" --playstore-json-file-path="C:\Users\Admin\AppData\Local\MobiGame\playstore.json" --google-analytics-id="28138855" --create-playstore-shortcut --api-url="https://gamestore30.emu.codes" --source="gameslolc"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\system32\ie4uinit.exe
      "C:\Windows\system32\ie4uinit.exe" -ClearIconCache
      4⤵
      PID:2536
- - C:\Windows\system32\ie4uinit.exe
    "C:\Windows\system32\ie4uinit.exe" -ClearIconCache
    3⤵
    PID:1596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1028

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A5246EA4C4499F74FC5232461BF5C1C7
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA0ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259760400 1 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2964
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA1D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259760587 10 WixSharp!WixSharp.ManagedProjectActions.WixSharp_Load_Action
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c set
      4⤵
      PID:2220
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA3BD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259761164 31 VirtualBoxSetup!VirtualBoxSetup.CustomActions.SetSessionPropertiesFromConfig
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CC05EB6D9F15F279651C263292E61CF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 15C000A1711881D68776560EF8918753 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIAD36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259763536 82 VirtualBoxSetup!VirtualBoxSetup.CustomActions.CloseProcessesAndUsedFiles
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1620
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIAE5F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259763926 89 VirtualBoxSetup!VirtualBoxSetup.CustomActions.DeletePlayStoreAutorun
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1684
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIE307.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259777264 93 VirtualBoxSetup!VirtualBoxSetup.CustomActions.CreatePlaystore
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:2972
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF34D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259781444 118 VirtualBoxSetup!VirtualBoxSetup.CustomActions.CreateRegistryForAegLauncher
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1996
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF3CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259781569 122 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallCertificate
    3⤵
    - Manipulates Digital Signatures
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    PID:2980
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF4A6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259781772 126 VirtualBoxSetup!VirtualBoxSetup.CustomActions.SaveSessionPropertiesToConfig
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:912
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF543.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259781944 136 VirtualBoxSetup!VirtualBoxSetup.CustomActions.SubstitutePath
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2308
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF6F9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259782365 156 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallService
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2744
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "C:\Program Files\MobiGame\MobiGameUpdater.exe"
      4⤵
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:1740
  - - C:\Windows\system32\sc.exe
      "sc.exe" config MobiGameUpdater start= demand
      4⤵
      Launches sc.exe
      PID:2124
  - - C:\Program Files\MobiGame\utils\subinacl.exe
      "C:\Program Files\MobiGame\utils\subinacl.exe" /service MobiGameUpdater /grant=S-1-5-21-3551809350-4263495960-1443967649-1000=F
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2324
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF9C7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259783098 169 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallAegLauncherService
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:568
  - - C:\Program Files\MobiGame\aeg_launcher.exe
      "C:\Program Files\MobiGame\aeg_launcher.exe" -service=install
      4⤵
      Executes dropped EXE
      PID:2972
  - - C:\Windows\system32\sc.exe
      "sc.exe" config AegLauncher start= auto
      4⤵
      Launches sc.exe
      PID:3000
  - - C:\Program Files\MobiGame\utils\subinacl.exe
      "C:\Program Files\MobiGame\utils\subinacl.exe" /service AegLauncher /grant=S-1-5-21-3551809350-4263495960-1443967649-1000=F
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIFBDB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259783628 180 VirtualBoxSetup!VirtualBoxSetup.CustomActions.UpdateUninstallData
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1844
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIFCC7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259783862 191 VirtualBoxSetup!VirtualBoxSetup.CustomActions.RegisterCustomProtocol
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2224
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI13.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259784705 200 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallVirtualBox
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3040
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c "C:\Program Files\MobiGame\player\register_services.cmd"
      4⤵
      Loads dropped DLL
      PID:2360
    - - C:\Windows\system32\net.exe
        
        NET FILE
        5⤵
        
        PID:1976
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 FILE
        6⤵
        
        PID:1448
    - - C:\Windows\syswow64\regsvr32.exe
        
        C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MobiGame\player\x86\VBoxClient-x86.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2968
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MobiGame\player\VBoxC.dll"
        5⤵
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2932
    - - C:\Program Files\MobiGame\player\MobiVBoxSVC.exe
        
        "C:\Program Files\MobiGame\player\MobiVBoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2796
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s "C:\Program Files\MobiGame\player\VBoxC.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2904
    - - C:\Windows\syswow64\regsvr32.exe
        
        C:\Windows\syswow64\regsvr32 /s "C:\Program Files\MobiGame\player\x86\VBoxClient-x86.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2648
    - - C:\Program Files\MobiGame\player\SUPInstall.exe
        
        "C:\Program Files\MobiGame\player\\SUPInstall.exe"
        5⤵
        Executes dropped EXE
        
        PID:2544
    - - C:\Windows\system32\net.exe
        
        NET FILE
        5⤵
        
        PID:672
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 FILE
        6⤵
        
        PID:2232
    - - C:\Windows\syswow64\regsvr32.exe
        
        C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MobiGame\player\x86\VBoxClient-x86.dll"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1588
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MobiGame\player\VBoxC.dll"
        5⤵
        Modifies registry class
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1616
    - - C:\Program Files\MobiGame\player\MobiVBoxSVC.exe
        
        "C:\Program Files\MobiGame\player\MobiVBoxSVC.exe" /UnregServer
        5⤵
        Executes dropped EXE
        
        PID:2484
    - - C:\Program Files\MobiGame\player\NetLwfUninstall.exe
        
        "C:\Program Files\MobiGame\player\\NetLwfUninstall.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1636
    - - C:\Program Files\MobiGame\player\USBUninstall.exe
        
        "C:\Program Files\MobiGame\player\\USBUninstall.exe"
        5⤵
        Executes dropped EXE
        
        PID:1964
    - - C:\Program Files\MobiGame\player\SUPUninstall.exe
        
        "C:\Program Files\MobiGame\player\\SUPUninstall.exe"
        5⤵
        Executes dropped EXE
        
        PID:2736
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop "MobiGameUpdater"
      4⤵
      Launches sc.exe
      PID:1660
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /u "C:\Program Files\MobiGame\MobiGameUpdater.exe"
      4⤵
      Modifies data under HKEY_USERS
      PID:1040
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI1D75.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259792224 216 VirtualBoxSetup!VirtualBoxSetup.CustomActions.RemoveRegistryForAegLauncher
    3⤵
    - Drops file in Windows directory
    PID:1552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B18527811DC7E60DCEE957AD3950B478 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MobiGame\Communicator.exe.config

Filesize
2KB

MD5
a1542da1b06616171d711cf143c18e93

SHA1
2d661b2def0a3377c238e76af5636e61369d6d61

SHA256
d2b4784ab623981ea29243091bbcd49081dafa30211a00135a32f30b9b83f71b

SHA512
45ff0605a99aaeb35539349386adba60d946971463dadf40c1e7e483530074776eebc093c5f08676cd7b2e4c2b96ab6b804cc85d43b567db94b6193136bfb03b

Download Submit
C:\Program Files\MobiGame\Communicator.exe.config

Filesize
2KB

MD5
a4a318e85df543bb4bee362f061eafaa

SHA1
39b6d13872e5e1dfb5260ae48d6d4b313e16329a

SHA256
3ffebb3ce4d2e01757cbe0495c2919181a129e6f969d9a8a498e8c28912bff99

SHA512
54f949aaf669594cf21fd843e5650d7b96d81f4e57a751e7293d112b76af9b442c6c4369954bb2a92fa5f93d4a9286f238e858973794eb65344e0ce94495cc22

Download Submit
C:\Program Files\MobiGame\MobiGameUpdater.InstallLog

Filesize
660B

MD5
349e0bdb3112341296785ceb24e5af3b

SHA1
5500fdbe799b225d4205ddbeb35f0b5a775bc157

SHA256
d869115f03a7b277ddc93e5683722047f0bca52a897608271513a63edb2e7a05

SHA512
927405cea3bdb77177e8c74c9d488565e54a879fc6e51e538a05e775e25f6d7a4c5e84353e4b46e810c5d87570a41f81c41a2f876e085d9c17887f359cd04f21

Download Submit
C:\Program Files\MobiGame\MobiGameUpdater.InstallLog

Filesize
1KB

MD5
27f6a9de38d3ac5a4fb04fdd6c761ea3

SHA1
43642f7ea086f9ef6f427962cf8eb8399939d1fe

SHA256
f619d54a74addc3619cba5102b2b8709d1f97b4196ae112daa4b3339b1e20c2a

SHA512
ec5198d0080ba3cf7effd73d0de8bef09e0ba86dc71ff3b6e7c71ee69fbf401e7d3f08003dcda7d396606ef72aedd1b682d82eb4798dff58ae45a4671850b680

Download Submit
C:\Program Files\MobiGame\MobiGameUpdater.exe.config

Filesize
4KB

MD5
9157364bda432f8a034964136910cfcc

SHA1
78e273e8319a38635f02808280770f036558d2fc

SHA256
8283250cf944b819c911ec174c13f80096d30623eb2c99a32b56752fb14daf08

SHA512
6148948de8e718a143a852c8a598b3a0c352f497405d75bc0bd23ea63b81d6d2506912e67d4db5ec656da70d222f79d1f76bf28445af80ef1eee45cbc3486a91

Download Submit
C:\Program Files\MobiGame\MobiGameUpdater.exe.config

Filesize
4KB

MD5
7b382dfe91c6ffd6759d75aecdb506d1

SHA1
02775c6c6919175e49acba892c2844cec295f0ae

SHA256
7e63f1ab4a9cf29ffc549cdcc0f2339dfed46a029875b1199c7e5f82e4087e22

SHA512
86a5d55e724a3dcd750040ff5133b0088d4dace90bcd0b297df253f967ee095970cf47846fa9b0d0b7735d966cc232c0ac3ef7aef30b643b3c0bce879e983d7f

Download Submit
C:\Program Files\MobiGame\hpfalmf2.newcfg

Filesize
4KB

MD5
0fb6af0a074f661393a44f6234b807e0

SHA1
11c28ddb51a6dacbc6f150d26a9c184edd4b8021

SHA256
69738c23dc68344935b4fa65591e3170056aa14f91e7fb48f1c846b94ba477a3

SHA512
e2b92cf905cfe4cf692736aff446141ec57c2a6f3d286c08e91a33738e1f99bc8ebded498968a7e97c25f63739464daef3eece0dcc0238d26901db1064f9214d

Download Submit
C:\Program Files\MobiGame\i5b3plgp.newcfg

Filesize
2KB

MD5
9e083eaa17228a0fa77f70921e94d34d

SHA1
481fc382b1cffbca84d5aab4438f48702950cafe

SHA256
7259583e7be390d19192141ffe5ee5dcd8ddca8933ad7b636063749a3e6f6f6f

SHA512
0709a6651aa0a79f334cc6547c49d86b1f9e58543d71aa38daff55c1260fe981299cf240a19c499db45ba203a6b1b6afe3aa0babf8f8b100a7357ac15d0541a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f39d94c331b7670c0e17b6167db1f217

SHA1
b4f2715b85af31e6a5bb992322cf0fbac8bd4a6d

SHA256
10e45f7d8ea72062e8cbc73d74494d158b84d9b5e495b1e261835b001ef8d318

SHA512
b4eb834376ece63aad5c6bda9bdd6f3feeef7a4dabc2de0c86428869a26050fceb108d1cf7a4fc84caba58323cfe703a91a13328c660ceac04316675d7df0708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4488511837fb1123fc6b50020089351

SHA1
2483031d7b48a6663e4b7ca5f3997d36830e97ff

SHA256
fa4e5893f8332b71dd1e0d3202b9c4e003b6a6a3487c6d3291746f805b16cbb5

SHA512
72ab1f23246946159421bcf07a04b3a3b7089153bd98a154d5ed48f057749b9ac4a4eadc2758ac9e9a88006e3baa0f8cc11bb939835ffa32f1d303d9f1cc791d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b368fc556f3f6f6cfd9c6c48775dd29

SHA1
60f6618c66535a7e6e8b97667688aee032260bfe

SHA256
b249d572a6ea6661fee71d96f61d6d07ffcab4fc0a6febd87fc8209b237df988

SHA512
b8939cd1dd6d5b72d318065090b8b8fb3eab439e37bc06ad23b466220612c1257e4db71072af1c1ae90775db9c844f30b42959ed69ca22a75f88ae56cc439d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Filesize
264B

MD5
43798956b90a14fd9fdc4f8f5cf1a8c6

SHA1
b10b4809a3f4c7fbfc840eb403483faae7b12033

SHA256
587f73e3d925efc85b5b8981cd7a95d4f1e93d802f58ab39349b1a9cfa411b65

SHA512
ba09c2396495811a5336cb15643a68a80b39a470824ffa1ec7fb86c9004c3f97912fc74489ed31f593866f7b337f02cb0602d5074b30ce3d9a1038ee836e5396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fbb964bf379cf9f2bd94458b2764eb52

SHA1
b02ec13f35bbc695692c9f0c13618272c8ce810d

SHA256
242e3d42f9ece598437eb94063dc7dad4dfce2523960556e700e6f948d83cc6f

SHA512
60c7fd4e2dde88ab789c04f092661b6588081d8e11cd58e5464ee68584d3a09c0be89d572995f3728732a50b6fadf9a9e1751ebea083f1da1ad4b30ab0ea1a66

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\hwid.dat

Filesize
32B

MD5
f34402a871a2d99bb1052a7c295e17c2

SHA1
ce32a35085b3a9d588b57f522da38e531424ba4a

SHA256
625379cee1da44204f01fd9dd395a9ed9bed62ecc927a26fc0b9200b5ca96e32

SHA512
0ca0531341f2c75ddc390e081643c21b47ed00b46a9a807505c64aed81cb0be75bbdb456a3ce52a6c69f0f53992ec3064a7c02df67d0ce035c986f8283c4d6d5

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\installid.dat

Filesize
32B

MD5
fffe6254dcd1624a8ac64f676a9a4135

SHA1
275ed1d18f29e0119e76939c7404c16515be99d6

SHA256
ef95e8008bcac290e3c504376ffe172dbdd3475526d4595cb10c4907c154d78e

SHA512
16b31a062e5c65bb235f8ccb4ae295a62e0175b11f75454fbf02540264f3b33e1f94ec097b653f978c344b9bdfcd7238f009d0834c04a6b4f0ddd5aa082be289

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\logs\downloader.log

Filesize
4KB

MD5
498ea11ce6d6d234e1bef97445419f91

SHA1
354e5e844634c2c702c9eea82889651e7d720a0d

SHA256
df2d1213e9b1fc02d73b472400b6308a7bdeed2fb98007ae6af82f34459a9e99

SHA512
a861d9affefb8ed9b7f23691176c551e4e3de5b90689c9090562dc0fc47e95dfeb824500b302e09e87ed39a405e69f2a802cda037e301e33d04cdfeb93abcf96

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\logs\mobihelper.log

Filesize
1KB

MD5
3f1ab95562086de2d7717e33f2d78620

SHA1
ca3aed7fa9e328a3f97d7f3ef025a097fac3ee07

SHA256
45ee5ba22b2306eec3e81868ae4b57f313ef715c37ac9961315a59192b42f357

SHA512
ceb487385d673d0b2fcb0ad3033355b28f3def4727d8ea40ddf253c7bb5af09aa775c842b8907f6014828b709657bc3edcccc0ea91516e823a90d4b964c06e53

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\logs\msi_install_2024.08.11_00-28.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\playstore.json

Filesize
537B

MD5
5feca042545b8c85fc30c3cdb6f36b9b

SHA1
53555b4f48d4945b41bf887f3ad7825159654c77

SHA256
e02252206a390428ec0a5ddfdb2ec048593cfb0ed967f4885e54c22224650caf

SHA512
5d734ab9bc5ca72014886715c49739ce42a5ae462ab5a752ce1aa3d7031cc511053459d4d762f8955aafa05c42c1ea5eb688e59aaaf978c3335de7ef00e11c65

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\sourcesettings.json

Filesize
5KB

MD5
e09ca833ccd4a626fd1da2543d5bef68

SHA1
7ae21f74c8b8bf564123d7e61ae11c63c5bc4e01

SHA256
1db566b34afa6dbab3e076f43553e0e04fdbc566542bb7fc52f5342358286991

SHA512
7ed39b694798759fcb6948c277261a4f84937ac439a0743cd6ee107f2377e3cf30d7400ee36fd6520531af5f1d516f5be1616116a4bcd62d2348d837acd03ada

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\userconfig.json

Filesize
153B

MD5
9985778609094662c1bb0ebc122a6472

SHA1
86e890c413152fbcb3fe6a20fef15444d72eacaa

SHA256
fa2d51eac7d2b0835fe578bfb8ce04323635e9678c68d4aeb203d867bf8e9fcc

SHA512
4b8b715a5808d46edd86f6e91b8779c54bba2ac01db67d6b44cb42ad172a92e06f47cab98269c6a403b3a3fbb16490e895ae3fe0f0e092025271d87a778d108b

Download Submit
C:\Users\Admin\AppData\Local\MobiGame\userconfig.json

Filesize
154B

MD5
f97f3970ebf4ccd7ff1adda4825230a3

SHA1
5365cece98aa84a39f482039e731796812335f76

SHA256
e0fc86d63617a38cbbc965ee94fe6b5856b8efff380a556f349c7652930b95fc

SHA512
ceb06133494145c332095fe91ae8290430926a14c7763d67e515683ba402c36d736564f50724a9c2a1dc911460515e506431bed17f63be6fffe87efab54b35da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab37B5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MobiGame_resume\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe.config

Filesize
3KB

MD5
d073a160fc5ee20c0f8f75c856d9742e

SHA1
d36a0678490d269326ff161b64348028fe8366e9

SHA256
40999a5776ba144cdb363c1a3d100a44f24341c744fe9e6108ebcd8bddd0785f

SHA512
75baac1a19353a7fee4d81ce84ffcaab5dc06c5267065f3dc961c95b7e1fff0e875bba772cfa1a21bab3a576a67b1425a16f641a08c004f5a5389348d69410e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3873.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe

Filesize
1.0MB

MD5
8afdf50f0097e7fc7254c83b2b2bf097

SHA1
771f30d91517ce306e93b548f31bd595139255a8

SHA256
1c96bab3b22b9e52736982b58ff5d75eb22293aa184024ad29c4f722bf1420f3

SHA512
51e70ae50cc46be7670ce73c559ffa11f6cc324a0256b44f394c789b5e7fd78089b934f7a91b06d5ceba55caede217a87296bbdb0ba17e48e59dad8ca33a5e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\Among-Us_com.innersloth.spacemafia_gameslolc_28138855.exe.config

Filesize
3KB

MD5
6517457e21bed85a6e41e8b84942c8dc

SHA1
45451a32d6246265c94660030642137ff0ac4629

SHA256
3148b743bb5599ee95ff171d8ed7f66c48979d5993a328f9e9291c1443e0fd28

SHA512
e694240d22e240f3b4ba78a2d0e38b353ce1f5ea348d46e688cb60166cdd91083b5069d1cbc79f94cfbf322edbdeee3511eb9360c2a08c3002d1ca28175451a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\Microsoft.Deployment.WindowsInstaller.dll

Filesize
182KB

MD5
82eb1ccf28f3af897c2db27282b41156

SHA1
9f945d8b18ff0fbb5f013efe5e2ff33aef136104

SHA256
ced6cab3c04c08ce5705af0b6986965dbdbfda17cbd66c973bb371ed3b95f37a

SHA512
9458fabeae4dabf8109b9736496a01d9168312faec1c17d6eed89e8f09cbb8287d74ff758948cf07838720c11005e87a734e920be4ead275354f46a0a6176f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\MobiHelper.exe

Filesize
590KB

MD5
751672b3dc8e48b7632544b57e01a069

SHA1
a497158550201b67a8340756529c8909f13ddb5a

SHA256
acff977962ee68c47b786c28186b43b093ef41ec6ed617ee019f1227e17d8799

SHA512
96e0d9a1f15c55ab69b37ec095dda802a008c37c14a51bce6b5e04ca60d83e09bf9d69be604d0fd5f407471c959fafec0d8477856570fc8862a606a237baa97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\MobiHelper.exe.config

Filesize
1KB

MD5
4c77703bc70d087c272b1b4f8db55c4c

SHA1
3bbf0cc26c0b888aedefbfb077ca1e270d3c45c3

SHA256
dfddd98c2f704875c1b40cd1c81005faf10a442135c2c84b9ebef51f935d4b06

SHA512
bb0052a2c5904e503429017c506f03122c2f4b83d0609c1d40a153848d392303c1ec441338fcb18977e6f310f634abe0bd3ecbee03cd7e468795dd2cb75f8dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\Newtonsoft.Json.dll

Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\ResumeService.exe

Filesize
522KB

MD5
d293db543d714d4b6a959911f04982cc

SHA1
69c6d24cebec0d0f82b2006d9f9f9c3add831263

SHA256
dd31c28d11f79d4dd84c531b68fe52aa8f1076ef585bcf438d8976f8d3baf14d

SHA512
8abcf620c879092fcdc77b16877a9d7b50d9dd7b0e7a89187150bf03c1a7e05021cd30e30315d881ed5e819cb0d85050fdf294fa41bb8006c7cfe582fb68dc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\ResumeService.exe.config

Filesize
3KB

MD5
c0ecf23c7cf4e09c426ff35e83eb34b8

SHA1
6e42205b40fa610e3d3376cc21997745f448ced7

SHA256
61bcc5c65812305576bd37eb7237ac29f04f14cef3ab9b9e7e8f940d5522b393

SHA512
ce8ee53483211cc488df90f396fa33877866cdc862b343625c736cf676be37e95021e465d277aff503f01eee8e5883175ab6a74ba2317285e843f87285f9995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\ServiceStack.Client.dll

Filesize
241KB

MD5
e7eeaacea4bb7ca8625dbc72f9c05177

SHA1
6e540e594d4e7fe1c55f2f9e406d3c0f6d02af9d

SHA256
67f5c0fedec2ca57fc1b3118bd772b987c01b573584c08c4264fc8030f0944f3

SHA512
9b45ab2f9b865da7775405eb05b805073f37590573c50b70644c6e694f2e6effa5c9b0cb15ce30b184f8afa71a382bc4bb9096599ccce8b68e130131da502c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\ServiceStack.Interfaces.dll

Filesize
169KB

MD5
bbaa88e5567a6b9c134f28262c54ca65

SHA1
5d59256abbc0226d4966cfa7f96511453736bb63

SHA256
2e2cf708db9d86b04c62a6273aa326225181fb739f6b950fbe2e1bd4905ecd0b

SHA512
eb714c554123a9405f1beb952e82f79b684995a4f567f3fb9bf934f51496eea0d325c791fddafc2105922ca51f93132db85ee8b555880ac04e0e039636c58779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\ServiceStack.Text.dll

Filesize
540KB

MD5
01e10fdd82dff5e70eff077adc2a4528

SHA1
5bc845e65e732c4bbc246174eb18874140d26772

SHA256
57f75c075376c8977860c3bcb8d7d693289450a08b569159bf7ed1dc1824e1f1

SHA512
fe0f0e8c14d6a8318a1a4320e427375b309e2ab5f05286ecca7d7ce1c3047c75054cce2153233c07bf7a921d43fea3fc5093af928bb7b555de46dfa2adb55366

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\System.Memory.dll

Filesize
140KB

MD5
2bc5de386a4297144781d15b8e812b63

SHA1
ae6b19d49b413f1549b3540a9fbba00c1e8b3d27

SHA256
9c266080fb5f31e02a5005b91657093bd8c1faed23102e021a8be283c1753461

SHA512
e4d43c871af5c03392d2fb139fdf10c2f2da2f1d6fe0edd089e3e30369d6d350727b483c98868626f81d680400b44ee4d328e475b0017bfdeb38cdb44a8b4d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\System.Runtime.CompilerServices.Unsafe.dll

Filesize
23KB

MD5
a5aa80f49ad64689085755ab1ebf086e

SHA1
27e88cf0d2b34ea91efaa5cef9a763ee2722c824

SHA256
a79e1c30e9308afe4d680f0bfb82de3e8c1fe94aeca453ec4092c3ed4789ae6b

SHA512
f3dbd77e3a2ec3915b34d1387388abad45c99459ce03c06dc9a83d04f751b837c7b56cf9b4b7630f7fcd897a1d8057fce4cf761b1dc140a3928431b22b9b5b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\WixSharp.Msi.dll

Filesize
31KB

MD5
346d813cb3b38030edbe2342b21ecb0d

SHA1
578cc0f818bb3c414e5b806fe628a100f2eed63c

SHA256
4a807bec1041e2a900688f17d338a06b952a1a8e76b61f681454302753ab79ee

SHA512
72d6117ba66f1939fcb1f1bd89fe3a7cc5d93ae67ba7ed9927746a388eec4885986915372d5ff92176615f6e73e9ddcdff5e8feb30d2b0c17f8aaaab1e4f744a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\log4net-loggly.dll

Filesize
20KB

MD5
647ef1d7ccf030a09f17a54c5f40bbed

SHA1
08a71074606354e53a5c25aa9b084dfe9bef551f

SHA256
dc7ba0dcf33d3599c6d471cedb604e141d24a9aff9964225b8de1dfbb8a285db

SHA512
16d7dfc6033114c247c252f5463ab874418b609811ef31dd82365482487c6a8dcb2260f9b288fa883d3ba70c8b8836bb9e38d5bc24303db71fdcac8778b769fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\log4net.dll

Filesize
280KB

MD5
7c11f28d40f846515c132c5e358913bb

SHA1
fe7d3cd47352835016ffe5be86185165c4a09f69

SHA256
8cdae744cb81a397c61f9311e1bd089206783b8b173d6e8216005b84662fda1e

SHA512
12acfc71df4e7d24fe0ac9de97d21dcd651480fd0c9e46035cd3a2f3fe1ee6833fc9679cda0b07ffa33bb6ff0a97b6d28f3fa161747990b18cea73c22bf124c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcgame_4132D967\utils\sysinfo-app.exe

Filesize
234KB

MD5
2b30334153d41d8c762207309be73d92

SHA1
a54f5fa79252b1b9968f6e1a44fde7f007a12548

SHA256
9b4eee17b496a35e88b5f1631ba21c2bee262b3c6da0024c18e3d1b7996b3484

SHA512
cc9972e8f8952bef7364b00d269848a918c47bd4fb66cb0fbc97ea7c74dab467ca7fa694c79a3d07cff45869fe9bd6643a3291b4fd83c53c544320470ab78aeb

Download Submit
C:\Windows\Installer\MSIA0ED.tmp

Filesize
631KB

MD5
ef64e6f6e011661dea3b8b68a1a747fe

SHA1
c3a2221a0322ccce06421cb504968f2204a89748

SHA256
9b7ef3866ea9f29c4a25cc8944b1c6a43e8930d79948f6be239c7de774757238

SHA512
4e1ff0e19241c6d05c582e579812e96a62c1c1c361e918f0fde3bc0469ca0daebcd8ae16f6291e2659903eba235b292f772b8e5cf9881d28163085901f7c3f7b

Download Submit
C:\Windows\Installer\MSIA1D8.tmp-\CustomAction.config

Filesize
980B

MD5
c9c40af1656f8531eaa647caceb1e436

SHA1
907837497508de13d5a7e60697fc9d050e327e19

SHA256
1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8

SHA512
0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

Download Submit
C:\Windows\Installer\MSIA1D8.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
4e04a4cb2cf220aecc23ea1884c74693

SHA1
a828c986d737f89ee1d9b50e63c540d48096957f

SHA256
cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a

SHA512
c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4

Download Submit
C:\Windows\Installer\MSIA1D8.tmp-\WixSharp.dll

Filesize
431KB

MD5
02551708742c3e7badee72532c9484b7

SHA1
d5aa394ee2883a0f4648698fb7d1f54039f3f73e

SHA256
0fc8edc2b0bf3b92ab50c08429b03f7612fe1fe2e1216a4d9266f11058e3e95f

SHA512
0cf5c87831e4d82bc09decaba0c99ae71044a59b97ab61345a1e5e940766227adf27e34593a8642d51ea5673a37e510e8ebf81ebdbb1bcb1777d48a738520e7c

Download Submit
C:\Windows\Installer\MSIA3BD.tmp

Filesize
661KB

MD5
62b5ccfec974966643787a3f6337d1b1

SHA1
f3134b4aaa47cdc2450c8fd3d0453807456a300f

SHA256
1ab810303c188710dba49cabc5a4d623b1e4e3798b2af2388e6c63eb6c8e1405

SHA512
4ce1364b28617907ebe1c0ceaa171fc13c2b12e72aba78c38824dfc62e2f2eb30f3a4c910e14f65ff881c606b654f75f6949d18cc78ce9823b0b9b2eaf1417f5

Download Submit
C:\Windows\Installer\MSIA3BD.tmp-\VirtualBoxSetup.exe

Filesize
275KB

MD5
27640e44b220c919539bae41d28bf738

SHA1
905bf328be2083c9020159823f28af81017fe60b

SHA256
1f362754c05cdcc75e0d85c81ec8b7e70e53361ea549b3c16eb7629f78931485

SHA512
1c47d4e2424634f18d1f315f2cb81287bde3bcca0cb38c779e4a0e9dae8ca75b15d59e6968aa1f42950addd5969204fd040f7472f77cbde9f26c6b6143ff1ff5

Download Submit
C:\Windows\Installer\MSIA3BD.tmp-\WixSharp.UI.dll

Filesize
239KB

MD5
a8d11ee5c3dcc54d8082fd2c087c7977

SHA1
8191c9e82f4e6f67a427a5f3b7b1a3bcd67cb4ae

SHA256
c29d2aeb1de17211adb98a490051d83bfd05d10af66094ef7159d0917bad35cb

SHA512
6462a7d23e571b41791af130ae0d2a0e010e30705a66e96b716028a0fe08bc4c7669b78ec4e56aedce991872336b0da7bcf1845ca5a15e621fa91d4c05d9f9ab

Download Submit
C:\Windows\Installer\MSIA777.tmp

Filesize
118KB

MD5
ba3165ec14e657e6235d6d789e9e25ca

SHA1
f626fcc0e7e7f26a092da6a995f5936a45c4f71a

SHA256
bf93de4755822425f3fd3928b52d2a6e6c91ab069213aaaa95695ed3e17e72e9

SHA512
6d83dd60b1f8e8d93ddbda657b1c75f86c1f5f6eac899123f6ce498f5dd1a5abf05e29776144044c6a848e8fdd2b9a6a5367c4b249b879a310a260fb6b55b6da

Download Submit
C:\Windows\Installer\MSIF34D.tmp-\VirtualBoxSetup.pdb

Filesize
133KB

MD5
4941344d7237566c0b791c865e579fa2

SHA1
02b9b4d37e5c5ad76349697c343ed7c1c689bb36

SHA256
3dda70ef422bba7ca5a69b7bdfdce227c47e698bc27c4058cbc798ce48c9a030

SHA512
c7aa71e6550c1049b88f231fcbd94e95b2e89025a4160921ceefc1aef6931d81ec05ccd67ebe9975027e1246a059efd42d2284e18ea9d922e1a8d9e789063b31

Download Submit
\Windows\Installer\MSIA728.tmp

Filesize
146KB

MD5
9d9a45f017d425179b7907410fd4d124

SHA1
d466dacd22e4daa5698ffc2a812a48b8fc680d71

SHA256
51f05b7aec5c1e565c36b33a456ce2e3500669399abd9ead2bd217d847805415

SHA512
f9336ebf658f24c235105b4845f1182e06fa6bca38d32a6b07774b6bddbb29cfb64cc174fdb25c2b00e4fdbf25fdf32df5229f156b5eb1f4d06a4f3b9938d1d2

Download Submit
memory/568-2779-0x0000000002360000-0x00000000023AC000-memory.dmp

Filesize
304KB

Download
memory/912-2632-0x0000000002560000-0x00000000025AC000-memory.dmp

Filesize
304KB

Download
memory/976-1091-0x0000000002380000-0x00000000023CC000-memory.dmp

Filesize
304KB

Download
memory/1040-2880-0x000000013FC00000-0x000000013FC0A000-memory.dmp

Filesize
40KB

Download
memory/1040-2890-0x0000000000840000-0x0000000000870000-memory.dmp

Filesize
192KB

Download
memory/1040-2881-0x00000000025B0000-0x0000000002646000-memory.dmp

Filesize
600KB

Download
memory/1552-2944-0x0000000002200000-0x000000000224C000-memory.dmp

Filesize
304KB

Download
memory/1620-1186-0x000000001AE50000-0x000000001AE9C000-memory.dmp

Filesize
304KB

Download
memory/1620-1184-0x0000000001EC0000-0x0000000001EEE000-memory.dmp

Filesize
184KB

Download
memory/1684-1212-0x0000000002350000-0x000000000239C000-memory.dmp

Filesize
304KB

Download
memory/1740-2740-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/1740-2730-0x0000000002500000-0x0000000002596000-memory.dmp

Filesize
600KB

Download
memory/1740-2729-0x000000013F2B0000-0x000000013F2BA000-memory.dmp

Filesize
40KB

Download
memory/1844-2805-0x0000000001F10000-0x0000000001F5C000-memory.dmp

Filesize
304KB

Download
memory/1856-187-0x0000000000310000-0x000000000035A000-memory.dmp

Filesize
296KB

Download
memory/1856-190-0x0000000000A70000-0x0000000000AFE000-memory.dmp

Filesize
568KB

Download
memory/1856-3625-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1856-183-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/1856-588-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/1856-597-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1856-253-0x0000000000B00000-0x0000000000B26000-memory.dmp

Filesize
152KB

Download
memory/1856-824-0x000000001A730000-0x000000001A75E000-memory.dmp

Filesize
184KB

Download
memory/1856-336-0x000000001A880000-0x000000001A888000-memory.dmp

Filesize
32KB

Download
memory/1856-331-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/1856-185-0x0000000000DB0000-0x0000000000EB6000-memory.dmp

Filesize
1.0MB

Download
memory/1856-335-0x000000001A860000-0x000000001A868000-memory.dmp

Filesize
32KB

Download
memory/1856-333-0x000000001A850000-0x000000001A858000-memory.dmp

Filesize
32KB

Download
memory/1856-249-0x000000001A820000-0x000000001A850000-memory.dmp

Filesize
192KB

Download
memory/1856-195-0x00000000022C0000-0x000000000233A000-memory.dmp

Filesize
488KB

Download
memory/1856-940-0x000000001A6B0000-0x000000001A6BE000-memory.dmp

Filesize
56KB

Download
memory/1856-192-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1856-247-0x000000001A7D0000-0x000000001A812000-memory.dmp

Filesize
264KB

Download
memory/1856-189-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1856-334-0x000000001A870000-0x000000001A878000-memory.dmp

Filesize
32KB

Download
memory/1876-480-0x0000000001390000-0x0000000001426000-memory.dmp

Filesize
600KB

Download
memory/1996-2582-0x00000000023A0000-0x00000000023EC000-memory.dmp

Filesize
304KB

Download
memory/2224-2841-0x000000001AEB0000-0x000000001AF22000-memory.dmp

Filesize
456KB

Download
memory/2224-2839-0x0000000002220000-0x000000000226C000-memory.dmp

Filesize
304KB

Download
memory/2308-2669-0x0000000002260000-0x00000000022AC000-memory.dmp

Filesize
304KB

Download
memory/2392-1057-0x0000000002550000-0x000000000259C000-memory.dmp

Filesize
304KB

Download
memory/2392-1059-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/2420-453-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2420-452-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2744-2727-0x0000000002460000-0x00000000024AC000-memory.dmp

Filesize
304KB

Download
memory/2964-1030-0x00000000020F0000-0x000000000211E000-memory.dmp

Filesize
184KB

Download
memory/2964-1032-0x00000000021B0000-0x0000000002222000-memory.dmp

Filesize
456KB

Download
memory/2972-2549-0x00000000022A0000-0x0000000002312000-memory.dmp

Filesize
456KB

Download
memory/2972-2547-0x0000000002250000-0x000000000229C000-memory.dmp

Filesize
304KB

Download
memory/2980-2608-0x0000000002130000-0x000000000217C000-memory.dmp

Filesize
304KB

Download
memory/3040-2876-0x0000000002320000-0x000000000236C000-memory.dmp

Filesize
304KB

Download