f7192526dbe47540e5b2d3b58a511bc65b8a08f76a31c95adc40921f25f8acf3

Analysis

max time kernel
102s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-03-2023 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Papers.Please.v1.2.76/setup_papers_please_1.2.76_(54232).exe
Size

40.8MB
MD5

354d10586bd68448685e925e48810bed
SHA1

ddfbe39b92b2277f989e7597af91379d7ec2ef7e
SHA256

412de5f617c9115d8199d78ef93e34a9b46e021b81902feb9eef14a4b2c035f0
SHA512

6f4f17b5dc51b8448184ba21af9b7dda7f7c91f5c4eef609ae6699b8bead4019fdb6280bf83853cd1db98b1a621c8dfaad4bf2fb13305ba726b66aa046bdb469
SSDEEP

786432:pBaa+1a5dqYwSYjm9x+hvRprsSLQWvVyPf/Wj8LT3y53RZYvv/w/go1PIGvUaQvL:ma+1QqYHYSerDHuf/c8LTuT+iNu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

setup_papers_please_1.2.76_(54232).tmpscriptInterpreter.exescriptInterpreter.tmpPapersPlease.exe

pid process

924 setup_papers_please_1.2.76_(54232).tmp
1944 scriptInterpreter.exe
936 scriptInterpreter.tmp
1600 PapersPlease.exe

pid	process
924	setup_papers_please_1.2.76_(54232).tmp
1944	scriptInterpreter.exe
936	scriptInterpreter.tmp
1600	PapersPlease.exe

Loads dropped DLL 18 IoCs

Processes:

setup_papers_please_1.2.76_(54232).exesetup_papers_please_1.2.76_(54232).tmpscriptInterpreter.exescriptInterpreter.tmpPapersPlease.exe

pid	process
1296	setup_papers_please_1.2.76_(54232).exe
924	setup_papers_please_1.2.76_(54232).tmp
924	setup_papers_please_1.2.76_(54232).tmp
924	setup_papers_please_1.2.76_(54232).tmp
924	setup_papers_please_1.2.76_(54232).tmp
924	setup_papers_please_1.2.76_(54232).tmp
1944	scriptInterpreter.exe
936	scriptInterpreter.tmp
936	scriptInterpreter.tmp
936	scriptInterpreter.tmp
936	scriptInterpreter.tmp
936	scriptInterpreter.tmp
1200
1200
1200
1200
1200
1600	PapersPlease.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

setup_papers_please_1.2.76_(54232).tmp

pid process

924 setup_papers_please_1.2.76_(54232).tmp
924 setup_papers_please_1.2.76_(54232).tmp

pid	process
924	setup_papers_please_1.2.76_(54232).tmp
924	setup_papers_please_1.2.76_(54232).tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1924	AUDIODG.EXE
Token: 33	1924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1924	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

setup_papers_please_1.2.76_(54232).tmpscriptInterpreter.tmp

pid process

924 setup_papers_please_1.2.76_(54232).tmp
936 scriptInterpreter.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PapersPlease.exe

pid process

1600 PapersPlease.exe

pid	process
924	setup_papers_please_1.2.76_(54232).tmp
936	scriptInterpreter.tmp

pid	process
1600	PapersPlease.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

setup_papers_please_1.2.76_(54232).exesetup_papers_please_1.2.76_(54232).tmpscriptInterpreter.exe

description	pid	process	target process
PID 1296 wrote to memory of 924	1296	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1296 wrote to memory of 924	1296	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1296 wrote to memory of 924	1296	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1296 wrote to memory of 924	1296	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1296 wrote to memory of 924	1296	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1296 wrote to memory of 924	1296	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1296 wrote to memory of 924	1296	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 924 wrote to memory of 1944	924	setup_papers_please_1.2.76_(54232).tmp	scriptInterpreter.exe
PID 924 wrote to memory of 1944	924	setup_papers_please_1.2.76_(54232).tmp	scriptInterpreter.exe
PID 924 wrote to memory of 1944	924	setup_papers_please_1.2.76_(54232).tmp	scriptInterpreter.exe
PID 924 wrote to memory of 1944	924	setup_papers_please_1.2.76_(54232).tmp	scriptInterpreter.exe
PID 1944 wrote to memory of 936	1944	scriptInterpreter.exe	scriptInterpreter.tmp
PID 1944 wrote to memory of 936	1944	scriptInterpreter.exe	scriptInterpreter.tmp
PID 1944 wrote to memory of 936	1944	scriptInterpreter.exe	scriptInterpreter.tmp
PID 1944 wrote to memory of 936	1944	scriptInterpreter.exe	scriptInterpreter.tmp
PID 1944 wrote to memory of 936	1944	scriptInterpreter.exe	scriptInterpreter.tmp
PID 1944 wrote to memory of 936	1944	scriptInterpreter.exe	scriptInterpreter.tmp
PID 1944 wrote to memory of 936	1944	scriptInterpreter.exe	scriptInterpreter.tmp

C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe
"C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\is-M3DG7.tmp\setup_papers_please_1.2.76_(54232).tmp
"C:\Users\Admin\AppData\Local\Temp\is-M3DG7.tmp\setup_papers_please_1.2.76_(54232).tmp" /SL5="$70122,42151039,192512,C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:924

C:\GOG Games\PapersPlease\__redist\ISI\scriptInterpreter.exe
"C:\GOG Games\PapersPlease\__redist\ISI\scriptInterpreter.exe" /verysilent /supportDir="C:\GOG Games\PapersPlease\__support" /SUPPRESSMSGBOXES /NORESTART /DIR="C:\GOG Games\PapersPlease" /productId="1207659209" /buildId="55257829924550446" /versionName="1.2.76" /Language="English" /LANG="english"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\is-4BO6U.tmp\scriptInterpreter.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4BO6U.tmp\scriptInterpreter.tmp" /SL5="$101C2,662929,192512,C:\GOG Games\PapersPlease\__redist\ISI\scriptInterpreter.exe" /verysilent /supportDir="C:\GOG Games\PapersPlease\__support" /SUPPRESSMSGBOXES /NORESTART /DIR="C:\GOG Games\PapersPlease" /productId="1207659209" /buildId="55257829924550446" /versionName="1.2.76" /Language="English" /LANG="english"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:936

C:\GOG Games\PapersPlease\PapersPlease.exe
"C:\GOG Games\PapersPlease\PapersPlease.exe" softren
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
C:\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
C:\GOG Games\PapersPlease\__redist\ISI\scriptInterpreter.exe
Filesize
1.2MB

MD5
0bc15db65acd786eab042566a1e1210b

SHA1
629e95532563d80e714aa3ce3e40c1f605c70773

SHA256
463e20f2b84d5a0d12049c6677f434ea7dd1a3035f053279e67bda8fd2dfc078

SHA512
d1959c156dc9aaf5a4e4f906352422db89ae687b6947995e782ce8520bcd4af37eb910cb466071e331f346cd29e8c9070dc8150feed024e483fb1d1964790669

Download Submit
C:\GOG Games\PapersPlease\__redist\ISI\scriptinterpreter.exe
Filesize
1.2MB

MD5
0bc15db65acd786eab042566a1e1210b

SHA1
629e95532563d80e714aa3ce3e40c1f605c70773

SHA256
463e20f2b84d5a0d12049c6677f434ea7dd1a3035f053279e67bda8fd2dfc078

SHA512
d1959c156dc9aaf5a4e4f906352422db89ae687b6947995e782ce8520bcd4af37eb910cb466071e331f346cd29e8c9070dc8150feed024e483fb1d1964790669

Download Submit
C:\GOG Games\PapersPlease\assets\Art.dat
Filesize
2.9MB

MD5
7d7e5aabaebfd5d15644534e6e737ff4

SHA1
b3d1bc8eaa27bf0724ff3c5e1cf7f4f86018e35e

SHA256
868edcf508327ebf4eb8229e7ff3acfe9d4eb42a095050066c5d3bb142a13d54

SHA512
1259ac6bd15e7bf59ec48b14eae8a3b2637f725b3c331897a2b7dcf735d45be69c5c792ce21cfa87b5f5c1c596cd1fee59a3947bcd37e76b750e5e4733204672

Download Submit
C:\GOG Games\PapersPlease\assets\Inconsolata-Bold.ttf
Filesize
66KB

MD5
819f56653a4197a7959c41ddfc8ff69b

SHA1
995a8160348f586143c9b3bc3c527786066779b5

SHA256
546ab1e196e94157a89af9fe42efea5149cbe346615023681461189d7a4496bf

SHA512
c9bf15571366fb0d0d9cf7128e2865f31d26f40658ebce234ffd351deefcd0d30c75321a16d991efca915404786a2491af7905527c3c01c1f9cce5e5f2352412

Download Submit
C:\GOG Games\PapersPlease\assets\music\Theme.ogg
Filesize
2.0MB

MD5
63236f4627837ca08114651fb0d062d5

SHA1
a8aaa4c6ad1af1151ed096cda4483e4d23ef6430

SHA256
5ffbc7ea354b5d92775952e6cf18498a740871f1dff349a308987ce0c7f2320c

SHA512
bf85b1b5b474efbea7c2ab235993b7f0df78a6241bf0ff9a92aaecc970fa4764567cb63824ad19b8dbefc53c6198bfbe486b7e99b2f444ba33e766ae4bfc7e40

Download Submit
C:\GOG Games\PapersPlease\boot.xml
Filesize
1KB

MD5
663c08216b9cf33586579477b7a50413

SHA1
8a1d10e3b1e998f82d6b6b4e2e9b061735bdcc2c

SHA256
573962eabdbab1f83c81fe57d97627c62c766b54ba369dceade281894aa9ff45

SHA512
26becbfe1b38936d0fd3cdd6c20b26e96fc9bb2a5630e307d08bb1e1ba8cff480acaddce5f1f23f232934bb32f8479272736ad91cc905ed136c2d60cf877241c

Download Submit
C:\GOG Games\PapersPlease\goggame-1207659209.info
Filesize
821B

MD5
6745b5c25105be39136b920448c004bd

SHA1
79d521233e0ef7f90c4d9db14e3a2e690e3970c0

SHA256
fad085351fcde0270d84871452607e8cea9178f9ebffc79ee4dd0baeba47682e

SHA512
e5fe8ba247132e309bd9203e45ea95f3d761725fb71e5a2b68aee6b4429f079605d971d976b0f38f2f50263c3c7a0433b5e900646d53425d9eefe8f6a017f0ac

Download Submit
C:\GOG Games\PapersPlease\lime.ndll
Filesize
7.7MB

MD5
f87ea1a6892b1a02615d4efc2af42ae7

SHA1
1aed7c51a52b27e3fe4669a7813de83f86243ee2

SHA256
65ca003dd8cf1858b1685f94379a93fb5fb70cc304e3b0dfcbbb0b8fe7ff68fb

SHA512
97f7eac332045310f6babe28ca107e9755ab873aeb1610a9f3774b2858dd77e781ad89303cad7b3898fbcfcf51f6720b2dde49716215459e377dafd00462e362

Download Submit
C:\GOG Games\PapersPlease\loc\en.zip
Filesize
519KB

MD5
ecfe16f0a9b3095de1d2730de0e487a7

SHA1
f13e2ea9f9ede890f482c48aeeafc59b874bf397

SHA256
afc5e696545bde3513747c4bf5de7092404fd7b72e3cf90099f948f3fc4e6d99

SHA512
065734bde7728fcd962689bceda8333dea06e3b1b9ec8077a85acd57f40568baec0defc9c2d069ddac66b991f0e41b677787f4475125b848bae54ffbc8d5b031

Download Submit
C:\GOG Games\PapersPlease\manifest\default.json
Filesize
6KB

MD5
fdc1e5ca44558ddbe2fe65de744b90c8

SHA1
78e9c9ee5e6b4ba590c773b73596cd2d90c3e537

SHA256
9d190c9fef320482e665459dae90c61b3ce2c23b7f4e30df1e42ee7db0663446

SHA512
dccf9254cfc59558a26bd463deb36278ea6de5c8da4488ee57efcaa8978aa500a107fa077aa5006e4c818a0928be84e9244ddfffa2ef5677038a684485b7a0cf

Download Submit
C:\GOG Games\PapersPlease\unins000.dat
Filesize
393KB

MD5
6abd913ea5adaa8a75323f50844b10a8

SHA1
592a7b382b4c359d10e7c28e7ff3fec1d4f9185a

SHA256
0ae2fac6c5c73c019552d431b56043c4ddab7cdc270ce890f15124a71ca52f88

SHA512
51f07a67f6d3f4295c76e769e33b9f43a7a1cef76b7722b8574462d901770dde16581ed5becfa7f84b9585ffc8092d97ddb7ec1d8fcda84a80caf771e617fcc6

Download Submit
C:\GOG Games\PapersPlease\unins000.exe
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
C:\GOG Games\PapersPlease\unins000.exe
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
C:\ProgramData\GOG.com\supportInstaller\is-C5C75.tmp
Filesize
712KB

MD5
f3a88277fc7e0c057c40e47a7e43f9ad

SHA1
78ae0052b323139a4de7a5361a40503a39339f4c

SHA256
d88bcf910e7a5ce4d76ca48b263ef226911b455d3a8db80c9fa69aeb2b3898a1

SHA512
3c40377600fbb814fe19423404d2fb29f6342ab2a3a6d5dc50f42086fc0f59174184a0870d7f04fb6ee5f84828e1ed282396bfcb70842084af25f5af15cc8a1f

Download Submit
C:\ProgramData\GOG.com\supportInstaller\uninstall.dll
Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4BO6U.tmp\scriptInterpreter.tmp
Filesize
1.3MB

MD5
5fbb8d112408800bf9cc257f8be6f580

SHA1
c6319048b9af0736212bebb25979a84a74db0a06

SHA256
0963b01b447c641bea6f5e9de250c1e8a0127a34440c8165594b67890026e6af

SHA512
390f4a1703c867d6f9edae3b02334126565b9995989f2edc16d5749dce7b059874373a5f6e870ce742012fa8b06e1c2c0c3ed56fffb864980496d328db8cbe02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4BO6U.tmp\scriptInterpreter.tmp
Filesize
1.3MB

MD5
5fbb8d112408800bf9cc257f8be6f580

SHA1
c6319048b9af0736212bebb25979a84a74db0a06

SHA256
0963b01b447c641bea6f5e9de250c1e8a0127a34440c8165594b67890026e6af

SHA512
390f4a1703c867d6f9edae3b02334126565b9995989f2edc16d5749dce7b059874373a5f6e870ce742012fa8b06e1c2c0c3ed56fffb864980496d328db8cbe02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\1134577161_english.jpg
Filesize
192KB

MD5
339f7594a4b849625de4e6f1ed00a0a5

SHA1
57627516ac4931938e1680a6ac8b5bce7ac5feeb

SHA256
d85be7db9614ff25af54ef04b92703aea750e2092e2d648b7d14af8bff80cb2f

SHA512
514c83d7222770cc7d6c0cf8cdc70e3f75ac8f8839efa2ff11c6ef7c5f3831479365a02b74c773c7ef1d8ea0dc70dfcfcd4ffb0e813668fee52988e1c850aaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\1449651388_english.jpg
Filesize
175KB

MD5
ae8c0b7dd3bf13bc6409ae912036ce7b

SHA1
86242f1b6bd60f90c6aaeede756ff07dc3c02492

SHA256
fb01ffdf0743e3ae4d3e1a4c80d6f4c487330926deff4f4c78aadf0636f331d7

SHA512
7085eaba6d999ee3850303e5b5b410030106e504a7decc05ca7352a7082c9c391a0dd6c609fe6552985870edaa2772cf12ff203b7e32a9702bfc4f845774c0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\BigOK.png
Filesize
3KB

MD5
5b43a5d975a53f4fc1da67ce9f7784c1

SHA1
8543fa1e471030049942252b23cb22e0880c3af5

SHA256
59d8bb3e87a89ef523c0495addce38d69560af42aaa82f56dd41b12e6612c13a

SHA512
5dd5c4e9859a555a4a32da76f5231b44f7556274c6501da530b2cdd570bcb4675f710bee708322a40ed3ef9280c0d652b4e7ef0e9eaf128c08534f59291917f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\EULAAccepted.png
Filesize
2KB

MD5
461dfeb75927bdb39f9db5348612a611

SHA1
b7893b1fff6801e37ee7337d876962a09184941e

SHA256
0de278f5ca6d8570d9bda592268a14a28b87d3631fea2d25721947397aaab79c

SHA512
68528cf45c81c2c024a672f42c2cd6d4f72c015b443f103ca21deb8ee2bec4f4027490e7f33b5338a87537b5bf7f255f2828aed149f622155ec89cc81687651b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\EULAShow.png
Filesize
1KB

MD5
c596bc9111edc702bbbb29b70984254f

SHA1
d4712c7b91ff4f8994e7907d31357c42eb47c738

SHA256
6112851daea2aaa7174e8cfac4a0f61c968bc090342503804c476eff47cc2462

SHA512
db50d0a39ec644873a03d64552fff1776cc94f016e8dfc8918e65aee94f7529a6de4637567b5e65c4ea988f3775785c4b52c2d96fe8dbc52b1e21ff59c737c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\GOG_new.png
Filesize
3KB

MD5
d5b63bdfa47ef5954917c148bacf7b13

SHA1
5302c6715d9e9b5d2768b130f3e516e175684cc9

SHA256
0804b385c1736e009fe8c3b1b14085b9b9abb40ce487360002ab4a8f3505f4e0

SHA512
b5cde681be9ad1c1211559dc4b363003bf547e8dc965dbb9560fdddfc28ee1d8f27cc534dd00864d800fd351c48694d7dc8df55fc3d8d69acf8b702c7b421aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\background.jpg
Filesize
416KB

MD5
500498a437a2fc611721405ba1f67746

SHA1
a13af882cf40884f62d8ef2fa97c5c321db7e3fd

SHA256
c25063204ea2bf9311c6e77720d4a69bf11999fb719e78012c1ffa5a4cd3ca22

SHA512
4e495d484dfbd18489b0cd7f55320ae34b41eb5441a6f8149adea17d167c88b2429237b1a0f59fd883b659c7b3e8d2dbf706077c70a741aa4669351c7938e6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\btn_md5.png
Filesize
8KB

MD5
3befe9739354ee24a0b1ea8df05ce274

SHA1
ab0bda986a8c46aa19f57b75a2b7b22445a3c625

SHA256
b0193ab375f604fa4a25cabdea8f713babde1c07ab562ffc5679352c8e01db47

SHA512
ac016a59e0bfc9b22c376ae5d498c5660893a983d932b2bd502dabe032883c69e79ea8d93c2db49f95415c3cdb068e9f7d1d85527a4f9e68e065a989852d09dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\error.png
Filesize
726B

MD5
df10adc25b673e74e19971c17bee5a98

SHA1
ee16fb1cf9491f5e611282f0574b27d76fede412

SHA256
142b16dc6239421691fa6e619d1a61e61176d89fa018a88b46893c29a57aad8b

SHA512
dc3de10e0321966cbbfb2e57b3b41da6f26dff0c7233a47469da58775b5c471e6b5181e4d4ffc81ef8b83dbcad74ccc1aad7678518f99c9185a441d2a23e010f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\error_icon.png
Filesize
1KB

MD5
263720c4b8bb111567a2a49989b8f467

SHA1
cf346fa3c70164648e0eaf72a37c6f4920ab4792

SHA256
acdf96ee4261fae138e6350a0ad50b367022ed5b908fa168baad92644f566ee8

SHA512
94f06a81dc735cf264abde86e6169e5fd78d873d2e926fd48287d2ac5208fc930c3c432186e3510add002bd1b4ae32ad8d35270b17c3ce5f18c43764a8e9de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\ok.png
Filesize
1KB

MD5
103c1368e60806b1b7995a0894eacf87

SHA1
971392527f6e4b655044773132505c901a6b5469

SHA256
0d37d4421a39ca8852eb6760b8e914302bdc6cfcc7b170dc1b6c9bb9be148b7e

SHA512
652177e94438aff102f2ed873b26f0985ebed134763852b49b1ca2698463c1dbeb85152f19c8e18d397229ec5cb2cd1d17c61d454ab7c425a2cab540adc8228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\progress_center.png
Filesize
1KB

MD5
ad7fc1e37e40da38dd57adc446cc6c0e

SHA1
08033265deb9b45243cfa0065d98ffe13a039e26

SHA256
2b9dae87340e66b67ab1d8247d4a137628e324969f92fe1098f95a7c5bab2f43

SHA512
dd715d74f8e1ed6ab75b7b6530b383ac47040d8baa7728be160f6d230bf485a9cc54f15f7dc85b122ce56e54d63fa4890e510dfc89d9c9344e31f789ebac8756

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\progress_left.png
Filesize
1KB

MD5
290c7612ad7a077028cd3dc78ce99673

SHA1
18995fbe39d05e4a1cafc7cc2e0f6fb745442f77

SHA256
85e39d909a7300fa2043ec42818582867b981401264b14fc5408e477ae0b4668

SHA512
799841f5b8a1056e78a49c823009750e4b93af130a6c4ff9dc6d386c06b88614e53b46a6df62f5a217d5c99da01cf4e2fe8392c73d39e81000045291cf24205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\progress_right.png
Filesize
1KB

MD5
c25a41f022a74308d944d1e807d72f44

SHA1
83c6bbec3fb373fcc78ce0e737742100994cd6d4

SHA256
396a3351fe409328782ab138282cf9cec061a5a9540a3506700a620db1f54e7d

SHA512
d2f4449195f3e60c826cfabb52a083d829eb9d0509272977d8fdb33bc5214678949cd27d0594684594e0a3eda2351c39cec8d91923cb716ad144ccf2b966c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\slideshow.ini
Filesize
279B

MD5
ad0ed70c79608288af8c69914e68c90d

SHA1
87334e310ba0bc5d05b7dffdf6ed258a8b56a4d8

SHA256
67cb7a731cb50a9e45cd684cdae147aee6a34842aea936cca1f9fcde266dc5a7

SHA512
c5606f19e3eabc128e8991821e9cc925d3e0f09dbda16ec9653349ed7d412d1b895634ba0d16396f57c28c478457d8c9aa62704da24f96c7434254da39ba8dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\track_center.png
Filesize
1KB

MD5
3f2b0c22f8ea28dcbb82b39a16a039aa

SHA1
b3f4dfc2ea86fbdad05877b4c356b7fa8016731d

SHA256
794f9eeca7fd99846968376b76a296c927532cef1271325cbf555caa0d0d5860

SHA512
b4bf65d751717e85418947662d315ae3bcb177f60914832fefeeb95da9eddb75eb5531c62e5a5a70ff03c8a025b5a03e61ffbdecc9f483bea9684454ca9362d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\track_left.png
Filesize
1KB

MD5
55dacb00cbe2825a8540236c5777a205

SHA1
18a52ac6c741b558500fbc1716d46b4fe4471982

SHA256
a8340fb5380c922b60ea40043590dba067dcfed6e22636851691df38156a3aa8

SHA512
2ea444cc1080f20761c8d71d96fcd04ef48254cdc1dc41d1d139f459ea5613fe12f6e4bd026bf33a5c01ff038e72e05dae2f8fba33ff517dd395e1911f10ff10

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\track_right.png
Filesize
1KB

MD5
ddec70b6c49be3e8c3a7d01c2f6ff1c5

SHA1
5383271999f787c36b1dc8f3cc13c8407b195439

SHA256
f54cd6e42f2b2bc5cb8a15f6a28f1499abf094a519ebdf39f4c4e167312c9c16

SHA512
f43f94b194b5a7eafcec9e831f61042859c30e1af2e2447195bdd06b12c90982181161a1c1be5aa5223ff664f88e4891bd71cfffb7ef672d6fe4f614030e0e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M3DG7.tmp\setup_papers_please_1.2.76_(54232).tmp
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M3DG7.tmp\setup_papers_please_1.2.76_(54232).tmp
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
\GOG Games\PapersPlease\PapersPlease.exe
Filesize
11.5MB

MD5
503bf5b8fefd351bfb23a3fc1278d183

SHA1
5d66f25f03b9c95e3455c1c5a113df8d35ee092d

SHA256
936e5af2c7f01f7a03782bda924d912d51e7f4df69a3371a4416305375bc71b4

SHA512
667221deb3306338e2cca4a533f32cb3038066eec8656263b4e5439be8bf21ca9e37f5357c3a7c29573e6b8b9a26d88f195cd2ac01be289d417aa175780a7bac

Download Submit
\GOG Games\PapersPlease\__redist\ISI\scriptinterpreter.exe
Filesize
1.2MB

MD5
0bc15db65acd786eab042566a1e1210b

SHA1
629e95532563d80e714aa3ce3e40c1f605c70773

SHA256
463e20f2b84d5a0d12049c6677f434ea7dd1a3035f053279e67bda8fd2dfc078

SHA512
d1959c156dc9aaf5a4e4f906352422db89ae687b6947995e782ce8520bcd4af37eb910cb466071e331f346cd29e8c9070dc8150feed024e483fb1d1964790669

Download Submit
\GOG Games\PapersPlease\lime.ndll
Filesize
7.7MB

MD5
f87ea1a6892b1a02615d4efc2af42ae7

SHA1
1aed7c51a52b27e3fe4669a7813de83f86243ee2

SHA256
65ca003dd8cf1858b1685f94379a93fb5fb70cc304e3b0dfcbbb0b8fe7ff68fb

SHA512
97f7eac332045310f6babe28ca107e9755ab873aeb1610a9f3774b2858dd77e781ad89303cad7b3898fbcfcf51f6720b2dde49716215459e377dafd00462e362

Download Submit
\GOG Games\PapersPlease\unins000.exe
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
\GOG Games\PapersPlease\unins000.exe
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
\Users\Admin\AppData\Local\Temp\is-4BO6U.tmp\scriptInterpreter.tmp
Filesize
1.3MB

MD5
5fbb8d112408800bf9cc257f8be6f580

SHA1
c6319048b9af0736212bebb25979a84a74db0a06

SHA256
0963b01b447c641bea6f5e9de250c1e8a0127a34440c8165594b67890026e6af

SHA512
390f4a1703c867d6f9edae3b02334126565b9995989f2edc16d5749dce7b059874373a5f6e870ce742012fa8b06e1c2c0c3ed56fffb864980496d328db8cbe02

Download Submit
\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\botva2.dll
Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\crcdll.dll
Filesize
69KB

MD5
1d51fac9e2384eeb674199cfd5281d7d

SHA1
861dfdc121357d605d0cc3793266713788109eb2

SHA256
23e90ce5a1f2d634a7bf5d5d0522fafeea6df9e536e16f5ce91035d5197128ec

SHA512
921b00adfe43b883200960e8d0958d4e6b97f6d5cfc096ee277766a3e44cc7805a20877a4edf8bd4d9102bb71a20ac218a9a512f4f76bd751d3ef14f4e0a6eda

Download Submit
\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-C6K8Q.tmp\uninstall.dll
Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
\Users\Admin\AppData\Local\Temp\is-JA4AR.tmp\idp.dll
Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-JA4AR.tmp\uninstall.dll
Filesize
712KB

MD5
f3a88277fc7e0c057c40e47a7e43f9ad

SHA1
78ae0052b323139a4de7a5361a40503a39339f4c

SHA256
d88bcf910e7a5ce4d76ca48b263ef226911b455d3a8db80c9fa69aeb2b3898a1

SHA512
3c40377600fbb814fe19423404d2fb29f6342ab2a3a6d5dc50f42086fc0f59174184a0870d7f04fb6ee5f84828e1ed282396bfcb70842084af25f5af15cc8a1f

Download Submit
\Users\Admin\AppData\Local\Temp\is-M3DG7.tmp\setup_papers_please_1.2.76_(54232).tmp
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
memory/924-196-0x0000000001020000-0x000000000102E000-memory.dmp

Filesize
56KB

Download
memory/924-71-0x0000000003350000-0x0000000003407000-memory.dmp

Filesize
732KB

Download
memory/924-852-0x0000000001040000-0x0000000001192000-memory.dmp

Filesize
1.3MB

Download
memory/924-853-0x0000000000F90000-0x0000000000FA5000-memory.dmp

Filesize
84KB

Download
memory/924-854-0x0000000003350000-0x0000000003407000-memory.dmp

Filesize
732KB

Download
memory/924-855-0x0000000001020000-0x000000000102E000-memory.dmp

Filesize
56KB

Download
memory/924-61-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/924-63-0x0000000001040000-0x0000000001192000-memory.dmp

Filesize
1.3MB

Download
memory/924-195-0x0000000003350000-0x0000000003407000-memory.dmp

Filesize
732KB

Download
memory/924-194-0x0000000000F90000-0x0000000000FA5000-memory.dmp

Filesize
84KB

Download
memory/924-893-0x0000000001040000-0x0000000001192000-memory.dmp

Filesize
1.3MB

Download
memory/924-937-0x0000000001040000-0x0000000001192000-memory.dmp

Filesize
1.3MB

Download
memory/924-67-0x0000000000F90000-0x0000000000FA5000-memory.dmp

Filesize
84KB

Download
memory/924-193-0x0000000001040000-0x0000000001192000-memory.dmp

Filesize
1.3MB

Download
memory/924-190-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/924-191-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/924-114-0x0000000001020000-0x000000000102E000-memory.dmp

Filesize
56KB

Download
memory/924-198-0x0000000001040000-0x0000000001192000-memory.dmp

Filesize
1.3MB

Download
memory/924-203-0x0000000001040000-0x0000000001192000-memory.dmp

Filesize
1.3MB

Download
memory/936-834-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/936-868-0x0000000001060000-0x00000000011B2000-memory.dmp

Filesize
1.3MB

Download
memory/936-831-0x00000000039C0000-0x0000000003A7B000-memory.dmp

Filesize
748KB

Download
memory/1296-938-0x0000000001190000-0x00000000011C9000-memory.dmp

Filesize
228KB

Download
memory/1296-54-0x0000000001190000-0x00000000011C9000-memory.dmp

Filesize
228KB

Download
memory/1296-62-0x0000000001190000-0x00000000011C9000-memory.dmp

Filesize
228KB

Download
memory/1944-815-0x0000000000E30000-0x0000000000E69000-memory.dmp

Filesize
228KB

Download
memory/1944-869-0x0000000000E30000-0x0000000000E69000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads