3bb12fc60d09306575ed7190ef48f244e084cd5d82312ad89ae936fe1fdaa554

Analysis

max time kernel
77s
max time network
83s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/05/2023, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paper Please v1.2.72 [ElShuzen].exe
Size

31.8MB
MD5

f45f3907843e8a7ad9da9e55cc5574a3
SHA1

79e7852c9bf36270107bf15721a3659873fb5b5c
SHA256

3bb12fc60d09306575ed7190ef48f244e084cd5d82312ad89ae936fe1fdaa554
SHA512

a3c630b7dc4a258f4a05638ed764f4b38dcb17938702773bcd79a5907d10f03efb5b5106d0acd9f7a5a4617b213f8165412b20f51afa5b2463eb4fec13881fdc
SSDEEP

786432:9roajS9wU/kP9Xfx+KKsowUxu2unwyFUMeLcOIz7IVhwcTyCV75S:Vov9wTRIKv+xhGw0oLcOIz7snJc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1928	Paper Please v1.2.72 [ElShuzen].tmp
840	PapersPlease.exe

Loads dropped DLL 10 IoCs

pid	Process
1980	Paper Please v1.2.72 [ElShuzen].exe
1928	Paper Please v1.2.72 [ElShuzen].tmp
1928	Paper Please v1.2.72 [ElShuzen].tmp
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1928	Paper Please v1.2.72 [ElShuzen].tmp
840	PapersPlease.exe
1248	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Papers Please\loc\is-OMDPF.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\is-77RJC.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\is-0TRSC.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-FF6JB.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-QDJQ3.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-B5IM8.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-J3EJU.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\music\is-TFHL9.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-SH8LN.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-R5VOT.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-QKV0A.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-136NR.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-42ESK.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-ANK57.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-FHNFB.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-OLADN.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-9KDUF.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-430OJ.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-QBMD2.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-MQ5P8.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\music\is-DFP6P.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-R5FCC.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-63UHP.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-3Q7OE.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-7JGMS.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-8FI8V.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-J3G77.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-DE831.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-FMO6V.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-MQLBD.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-UQNSR.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\is-PIIKB.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-SR73S.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-DVGBJ.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-J8SO2.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\unins000.dat	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-795JD.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-C4HIU.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-TD7TK.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\manifest\is-G0AC3.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-5298O.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-M4K31.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-6UR4A.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-T4FD6.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-056HL.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-Q4GVV.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-CSIEV.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-VJL8K.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-U3BIA.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-CBB33.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\is-TOPSJ.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-K9KTE.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-KEUP5.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-G079O.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\is-P09KR.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-ICEO2.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-UVQKN.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\music\is-LKEK3.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-3H3HN.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-265I1.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-GF9JS.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\loc\is-VLIS0.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-62LI9.tmp	Paper Please v1.2.72 [ElShuzen].tmp
File created	C:\Program Files (x86)\Papers Please\assets\sound\is-C4M63.tmp	Paper Please v1.2.72 [ElShuzen].tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A6F3B6A3-FCFE-11ED-B8E8-C6F40EA7D53E}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6F3B6A1-FCFE-11ED-B8E8-C6F40EA7D53E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1928	Paper Please v1.2.72 [ElShuzen].tmp
1928	Paper Please v1.2.72 [ElShuzen].tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1636	AUDIODG.EXE
Token: 33	1636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1636	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1928	Paper Please v1.2.72 [ElShuzen].tmp
1596	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1596	iexplore.exe
1596	iexplore.exe
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
840	PapersPlease.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1928	1980	Paper Please v1.2.72 [ElShuzen].exe	28
PID 1980 wrote to memory of 1928	1980	Paper Please v1.2.72 [ElShuzen].exe	28
PID 1980 wrote to memory of 1928	1980	Paper Please v1.2.72 [ElShuzen].exe	28
PID 1980 wrote to memory of 1928	1980	Paper Please v1.2.72 [ElShuzen].exe	28
PID 1980 wrote to memory of 1928	1980	Paper Please v1.2.72 [ElShuzen].exe	28
PID 1980 wrote to memory of 1928	1980	Paper Please v1.2.72 [ElShuzen].exe	28
PID 1980 wrote to memory of 1928	1980	Paper Please v1.2.72 [ElShuzen].exe	28
PID 1928 wrote to memory of 1596	1928	Paper Please v1.2.72 [ElShuzen].tmp	30
PID 1928 wrote to memory of 1596	1928	Paper Please v1.2.72 [ElShuzen].tmp	30
PID 1928 wrote to memory of 1596	1928	Paper Please v1.2.72 [ElShuzen].tmp	30
PID 1928 wrote to memory of 1596	1928	Paper Please v1.2.72 [ElShuzen].tmp	30
PID 1596 wrote to memory of 1144	1596	iexplore.exe	32
PID 1596 wrote to memory of 1144	1596	iexplore.exe	32
PID 1596 wrote to memory of 1144	1596	iexplore.exe	32
PID 1596 wrote to memory of 1144	1596	iexplore.exe	32
PID 1928 wrote to memory of 840	1928	Paper Please v1.2.72 [ElShuzen].tmp	33
PID 1928 wrote to memory of 840	1928	Paper Please v1.2.72 [ElShuzen].tmp	33
PID 1928 wrote to memory of 840	1928	Paper Please v1.2.72 [ElShuzen].tmp	33
PID 1928 wrote to memory of 840	1928	Paper Please v1.2.72 [ElShuzen].tmp	33
PID 1928 wrote to memory of 840	1928	Paper Please v1.2.72 [ElShuzen].tmp	33

C:\Users\Admin\AppData\Local\Temp\Paper Please v1.2.72 [ElShuzen].exe
"C:\Users\Admin\AppData\Local\Temp\Paper Please v1.2.72 [ElShuzen].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\is-QBK96.tmp\Paper Please v1.2.72 [ElShuzen].tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QBK96.tmp\Paper Please v1.2.72 [ElShuzen].tmp" /SL5="$70126,32533385,1193984,C:\Users\Admin\AppData\Local\Temp\Paper Please v1.2.72 [ElShuzen].exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.com/invite/zU6wWyH8GC
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1144
- - C:\Program Files (x86)\Papers Please\PapersPlease.exe
    "C:\Program Files (x86)\Papers Please\PapersPlease.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
C:\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
C:\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
C:\Program Files (x86)\Papers Please\assets\Art.dat

Filesize
2.9MB

MD5
83a2ee437fa70505b27ea3e59e84dc47

SHA1
828a37a43302093a71c894e22b0836ad091147f3

SHA256
8872399393c4b403af34803bd26fe7fe47883e0c05b746ec1c50578eaeafff08

SHA512
66b1dcc07e718d8a2f41de363c86249b8eec08da052a20924299eef62ad97255b4b705e339e2cab4b2409c0ca55c780143e1684e0ae1c7c3f98fec08a6aaee2b

Download Submit
C:\Program Files (x86)\Papers Please\assets\Inconsolata-Bold.ttf

Filesize
66KB

MD5
819f56653a4197a7959c41ddfc8ff69b

SHA1
995a8160348f586143c9b3bc3c527786066779b5

SHA256
546ab1e196e94157a89af9fe42efea5149cbe346615023681461189d7a4496bf

SHA512
c9bf15571366fb0d0d9cf7128e2865f31d26f40658ebce234ffd351deefcd0d30c75321a16d991efca915404786a2491af7905527c3c01c1f9cce5e5f2352412

Download Submit
C:\Program Files (x86)\Papers Please\assets\music\Theme.ogg

Filesize
2.0MB

MD5
63236f4627837ca08114651fb0d062d5

SHA1
a8aaa4c6ad1af1151ed096cda4483e4d23ef6430

SHA256
5ffbc7ea354b5d92775952e6cf18498a740871f1dff349a308987ce0c7f2320c

SHA512
bf85b1b5b474efbea7c2ab235993b7f0df78a6241bf0ff9a92aaecc970fa4764567cb63824ad19b8dbefc53c6198bfbe486b7e99b2f444ba33e766ae4bfc7e40

Download Submit
C:\Program Files (x86)\Papers Please\assets\sound\button-down.wav

Filesize
11KB

MD5
17364ce8f6793451b373e6da297e4ee6

SHA1
c16129e12562bb7ee89715586dd449039735d316

SHA256
e5bf621711bf72a962a24a962e891b2516d040f8a8ffbedcab0145fbddab614f

SHA512
18d91de1b3cc2ae5d1091d98e80af19aca899ea0326c996cb6909b5c59f4d1177d71c20b410ba269521103170765dedecb99c2e8a2a5b7fd744b308cfeecaf7c

Download Submit
C:\Program Files (x86)\Papers Please\assets\sound\button-up.wav

Filesize
17KB

MD5
9f6f065ba912a9293f7e84ef9435c508

SHA1
8304e47e95ec026d66719d5dcef13d4c108579e9

SHA256
a9e615c7021a40d3b3d99b6fccc2bd6bc478766d20cdde48fe5e7f4d551d0ffe

SHA512
f1c176cd87f0c0098ca76b4e7976581ba4673838639c10710eccfc606f049bb40122b30f0bdb17b2dca8b897c83b90f382a1535d41fab824535beb39d1b6d30e

Download Submit
C:\Program Files (x86)\Papers Please\boot.xml

Filesize
1KB

MD5
663c08216b9cf33586579477b7a50413

SHA1
8a1d10e3b1e998f82d6b6b4e2e9b061735bdcc2c

SHA256
573962eabdbab1f83c81fe57d97627c62c766b54ba369dceade281894aa9ff45

SHA512
26becbfe1b38936d0fd3cdd6c20b26e96fc9bb2a5630e307d08bb1e1ba8cff480acaddce5f1f23f232934bb32f8479272736ad91cc905ed136c2d60cf877241c

Download Submit
C:\Program Files (x86)\Papers Please\lime.ndll

Filesize
7.7MB

MD5
f87ea1a6892b1a02615d4efc2af42ae7

SHA1
1aed7c51a52b27e3fe4669a7813de83f86243ee2

SHA256
65ca003dd8cf1858b1685f94379a93fb5fb70cc304e3b0dfcbbb0b8fe7ff68fb

SHA512
97f7eac332045310f6babe28ca107e9755ab873aeb1610a9f3774b2858dd77e781ad89303cad7b3898fbcfcf51f6720b2dde49716215459e377dafd00462e362

Download Submit
C:\Program Files (x86)\Papers Please\loc\en.zip

Filesize
519KB

MD5
ba4bb9850d58ce5841aaef7fb4ab323c

SHA1
186ff341902a9c260427cea0b1fc31f6e5959fcd

SHA256
8eeed8807c1534df068c2a5f5fe7f788ca1c5b05f9299b336f6c2a21ea4b7b58

SHA512
4195a53fa2a11404b3a1efcb87d7ebcc5e4665a97ac484da9a99349dddeb7e737c073ec5740c7e59e6a4cbf96000225507ed30ecb5e010604ae345774b39820b

Download Submit
C:\Program Files (x86)\Papers Please\manifest\default.json

Filesize
6KB

MD5
d345a5a62376a1afb35d341369b26ac1

SHA1
e5f37abf90b047b162f685adecf9a0a1f8c44fdb

SHA256
41b5ad90ca9760ee1e5dbc13938cf0387bef46c92a3abb37e7501fa5214e8847

SHA512
cd2ba734f94e6adf71c004b8648bf1f84e58c50685c9be0ab6523cd835f711a7789f6a5c72df54a3c229eecb169124851de64f23fe3dcff5a10e55a92ce5ab45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBK96.tmp\Paper Please v1.2.72 [ElShuzen].tmp

Filesize
3.4MB

MD5
63c4af2b1444bc4d2f5fc6bc3ca5bc13

SHA1
546f6d2e70030cbc3c756163dc9fbee99dae02eb

SHA256
a570b8c62c3c696986a499a709d21c01e83ec00e821eef9a7e43469ee0c2caf8

SHA512
1ace857b7ca5cf8d67fb92a5d681b533c9159da695e774d3c0031010e0caa48db4986fb50838761316b37712d602a2cb771dbd255370bff192a653354d432dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBK96.tmp\Paper Please v1.2.72 [ElShuzen].tmp

Filesize
3.4MB

MD5
63c4af2b1444bc4d2f5fc6bc3ca5bc13

SHA1
546f6d2e70030cbc3c756163dc9fbee99dae02eb

SHA256
a570b8c62c3c696986a499a709d21c01e83ec00e821eef9a7e43469ee0c2caf8

SHA512
1ace857b7ca5cf8d67fb92a5d681b533c9159da695e774d3c0031010e0caa48db4986fb50838761316b37712d602a2cb771dbd255370bff192a653354d432dad

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
\Program Files (x86)\Papers Please\lime.ndll

Filesize
7.7MB

MD5
f87ea1a6892b1a02615d4efc2af42ae7

SHA1
1aed7c51a52b27e3fe4669a7813de83f86243ee2

SHA256
65ca003dd8cf1858b1685f94379a93fb5fb70cc304e3b0dfcbbb0b8fe7ff68fb

SHA512
97f7eac332045310f6babe28ca107e9755ab873aeb1610a9f3774b2858dd77e781ad89303cad7b3898fbcfcf51f6720b2dde49716215459e377dafd00462e362

Download Submit
\Users\Admin\AppData\Local\Temp\is-QBK96.tmp\Paper Please v1.2.72 [ElShuzen].tmp

Filesize
3.4MB

MD5
63c4af2b1444bc4d2f5fc6bc3ca5bc13

SHA1
546f6d2e70030cbc3c756163dc9fbee99dae02eb

SHA256
a570b8c62c3c696986a499a709d21c01e83ec00e821eef9a7e43469ee0c2caf8

SHA512
1ace857b7ca5cf8d67fb92a5d681b533c9159da695e774d3c0031010e0caa48db4986fb50838761316b37712d602a2cb771dbd255370bff192a653354d432dad

Download Submit
memory/1928-343-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1928-329-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1928-93-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1928-64-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1928-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1980-344-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1980-54-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1980-63-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download