783025643a7ab680ac2529d00c282a4989f1d43362bc0047b74e4537d2e28d91

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b73406348cbf686aab2d219555ff9c.exe
Size

1.2MB
MD5

63b73406348cbf686aab2d219555ff9c
SHA1

8a6d3aa41e0b0c68528d8abda47703f66acb6ede
SHA256

783025643a7ab680ac2529d00c282a4989f1d43362bc0047b74e4537d2e28d91
SHA512

9e22792aa5fee8ed50d6388f4fe4979b867fc9753a8b564ad47579ab4bdee79c1824a6ecf1fd5ae8d7358bc013d3a715c155e052d2da8cb079bc89f7d7a89f94
SSDEEP

24576:Butr5OUs/ifYhM1Ta+kgE5c1pzLVa5LPxhHhaMV2PeY3dJi4FXkj:BuXOifEM1FkZ+zpa9Px+Mgn3fi4F0j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3008	bstrapInstall.exe
1656	gameinstaller.exe
2500	bstrapInstall.exe
1416	gameinstaller.exe

Loads dropped DLL 34 IoCs

pid	Process
2908	63b73406348cbf686aab2d219555ff9c.exe
3008	bstrapInstall.exe
3008	bstrapInstall.exe
3008	bstrapInstall.exe
1088	regsvr32.exe
1088	regsvr32.exe
1088	regsvr32.exe
3008	bstrapInstall.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe
2500	bstrapInstall.exe
2500	bstrapInstall.exe
2236	regsvr32.exe
2236	regsvr32.exe
2236	regsvr32.exe
2500	bstrapInstall.exe
1416	gameinstaller.exe
1416	gameinstaller.exe
1416	gameinstaller.exe
1416	gameinstaller.exe
1416	gameinstaller.exe
1416	gameinstaller.exe
1416	gameinstaller.exe
1416	gameinstaller.exe
2680	regsvr32.exe
1416	gameinstaller.exe
1416	gameinstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\gameinstaller.exe	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\UnRar.exe	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gtbCom.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\mime\core.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\waitProc.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\socket	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\socket\core.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\tmp.xml	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\ServerTransaction.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallGoogleToolbar.clf	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\blob	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Resources	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\waiting_bar.gif	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\config.lua	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\wait.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallTwcDesktopWeather.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\waitProc.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\ServerTransaction.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallGoogleToolbar.clf	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\waiting_to_install2.gif	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gtapi_signed.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\blank.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\RAInstallerPaths.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\waiting_to_install.gif	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\waitProc.html	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gamewrapper.exe	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\RAInstallerPaths.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\installerMain.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\waiting_to_install.gif	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\spinner.gif	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\wait.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gameinstaller.exe	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\GCHROME.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\mrClean.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\installLog.txt	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\lua50.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\ltn12.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\mime	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\gtapi_signed.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\wait.html	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\blob	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\waiting_bar.gif	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\mrClean.clf	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\blank.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\compat-5.1.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\waiting_to_install.gif	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallTwcDesktopWeather.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Resources\zylom\wait.html	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\socket.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\mime.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\installerMain.clf	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\socket.lua	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\InstallerDlg.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallComcastGamesToolbar.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\waitProc.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\gcapi_dll.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\luacom.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Extensions	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\installLog.txt	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gcapi_dll.dll	gameinstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	gameinstaller.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}	gameinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}\Policy = "3"	gameinstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}\AppName = "gameinstaller.exe"	gameinstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}\AppPath = "C:\\Program Files (x86)\\RealArcade\\Installer\\bin"	gameinstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	gameinstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	gameinstaller.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48D11E12-E33E-40A7-A78D-2EAFD88906DC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr\CLSID\ = "{5818813E-D53D-47A5-ABBB-37E2A07056B5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl\CLSID\ = "{C8F76629-E4F4-4646-AFC0-665082D167B1}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7E480B1-78D1-4D43-8B94-0D32DD109899}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RealArcade.rgi\shell\Open\command\ = "\"C:\\Program Files (x86)\\RealArcade\\Installer\\bin\\gameinstaller.exe\" \"C:\\Program Files (x86)\\RealArcade\\Installer\\bin\\..\\installerMain.clf\" \"%1\""	gameinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D10077E-0FF1-42E9-940A-CFFEE4DC7D63}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D991AAA3-6CEB-47CD-9A34-08E0C9D0959E}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\VersionIndependentProgID\ = "RACInstaller.StateCtrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D60A064-2009-4623-8FC1-F99CAC01037E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28DFE5B9-610E-4df7-9ADD-615BE7F7CAFA}\InprocServer32\ = "C:\\Program Files (x86)\\RealArcade\\Installer\\bin\\GCHROME.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{748744E8-6812-4F07-9F57-5F40395BDE65}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29F023B2-B05F-4613-A60F-2A0094DF3017}\ = "IRegAccess"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5609BFB-AC99-4F0C-AA90-5BA58C1E382E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InstallerDlg.InstallDlgCtl\CLSID\ = "{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl.1\CLSID\ = "{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess\CLSID\ = "{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GCHROME.ChromeCompatibilityChecker\CurVer\ = "GCHROME.ChromeCompatibilityChecker.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr\CurVer	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{748744E8-6812-4F07-9F57-5F40395BDE65}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D991AAA3-6CEB-47CD-9A34-08E0C9D0959E}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\ = "CRegAccess Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12631F96-F37E-4975-81D5-16E871EE557B}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7E480B1-78D1-4D43-8B94-0D32DD109899}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29F023B2-B05F-4613-A60F-2A0094DF3017}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rgi\ = "RealArcade.rgi"	gameinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl\CLSID\ = "{C8F76629-E4F4-4646-AFC0-665082D167B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\VersionIndependentProgID\ = "StubbyUtil.ProcessMgr"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr.1\ = "CProcessMgr Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D10077E-0FF1-42E9-940A-CFFEE4DC7D63}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71AFB688-0483-40F7-A49B-6A411DA1DF0B}\ = "IChromeCompatibilityChecker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71AFB688-0483-40F7-A49B-6A411DA1DF0B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D10077E-0FF1-42E9-940A-CFFEE4DC7D63}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\RealArcade\\Installer\\bin\\"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1656	gameinstaller.exe
1656	gameinstaller.exe
1656	gameinstaller.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2908	63b73406348cbf686aab2d219555ff9c.exe
Token: SeRestorePrivilege	2908	63b73406348cbf686aab2d219555ff9c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1656	gameinstaller.exe
1656	gameinstaller.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3008	2908	63b73406348cbf686aab2d219555ff9c.exe	28
PID 2908 wrote to memory of 3008	2908	63b73406348cbf686aab2d219555ff9c.exe	28
PID 2908 wrote to memory of 3008	2908	63b73406348cbf686aab2d219555ff9c.exe	28
PID 2908 wrote to memory of 3008	2908	63b73406348cbf686aab2d219555ff9c.exe	28
PID 2908 wrote to memory of 3008	2908	63b73406348cbf686aab2d219555ff9c.exe	28
PID 2908 wrote to memory of 3008	2908	63b73406348cbf686aab2d219555ff9c.exe	28
PID 2908 wrote to memory of 3008	2908	63b73406348cbf686aab2d219555ff9c.exe	28
PID 3008 wrote to memory of 1088	3008	bstrapInstall.exe	29
PID 3008 wrote to memory of 1088	3008	bstrapInstall.exe	29
PID 3008 wrote to memory of 1088	3008	bstrapInstall.exe	29
PID 3008 wrote to memory of 1088	3008	bstrapInstall.exe	29
PID 3008 wrote to memory of 1088	3008	bstrapInstall.exe	29
PID 3008 wrote to memory of 1088	3008	bstrapInstall.exe	29
PID 3008 wrote to memory of 1088	3008	bstrapInstall.exe	29
PID 3008 wrote to memory of 1656	3008	bstrapInstall.exe	30
PID 3008 wrote to memory of 1656	3008	bstrapInstall.exe	30
PID 3008 wrote to memory of 1656	3008	bstrapInstall.exe	30
PID 3008 wrote to memory of 1656	3008	bstrapInstall.exe	30
PID 3008 wrote to memory of 1656	3008	bstrapInstall.exe	30
PID 3008 wrote to memory of 1656	3008	bstrapInstall.exe	30
PID 3008 wrote to memory of 1656	3008	bstrapInstall.exe	30
PID 1656 wrote to memory of 2500	1656	gameinstaller.exe	34
PID 1656 wrote to memory of 2500	1656	gameinstaller.exe	34
PID 1656 wrote to memory of 2500	1656	gameinstaller.exe	34
PID 1656 wrote to memory of 2500	1656	gameinstaller.exe	34
PID 1656 wrote to memory of 2500	1656	gameinstaller.exe	34
PID 1656 wrote to memory of 2500	1656	gameinstaller.exe	34
PID 1656 wrote to memory of 2500	1656	gameinstaller.exe	34
PID 2500 wrote to memory of 2236	2500	bstrapInstall.exe	35
PID 2500 wrote to memory of 2236	2500	bstrapInstall.exe	35
PID 2500 wrote to memory of 2236	2500	bstrapInstall.exe	35
PID 2500 wrote to memory of 2236	2500	bstrapInstall.exe	35
PID 2500 wrote to memory of 2236	2500	bstrapInstall.exe	35
PID 2500 wrote to memory of 2236	2500	bstrapInstall.exe	35
PID 2500 wrote to memory of 2236	2500	bstrapInstall.exe	35
PID 2500 wrote to memory of 1416	2500	bstrapInstall.exe	36
PID 2500 wrote to memory of 1416	2500	bstrapInstall.exe	36
PID 2500 wrote to memory of 1416	2500	bstrapInstall.exe	36
PID 2500 wrote to memory of 1416	2500	bstrapInstall.exe	36
PID 2500 wrote to memory of 1416	2500	bstrapInstall.exe	36
PID 2500 wrote to memory of 1416	2500	bstrapInstall.exe	36
PID 2500 wrote to memory of 1416	2500	bstrapInstall.exe	36
PID 1416 wrote to memory of 2680	1416	gameinstaller.exe	37
PID 1416 wrote to memory of 2680	1416	gameinstaller.exe	37
PID 1416 wrote to memory of 2680	1416	gameinstaller.exe	37
PID 1416 wrote to memory of 2680	1416	gameinstaller.exe	37
PID 1416 wrote to memory of 2680	1416	gameinstaller.exe	37
PID 1416 wrote to memory of 2680	1416	gameinstaller.exe	37
PID 1416 wrote to memory of 2680	1416	gameinstaller.exe	37

C:\Users\Admin\AppData\Local\Temp\63b73406348cbf686aab2d219555ff9c.exe
"C:\Users\Admin\AppData\Local\Temp\63b73406348cbf686aab2d219555ff9c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapInstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32 /s .\bin\InstallerDlg.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gameinstaller.exe
    .\bin\gameinstaller.exe installerMain.clf
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Program Files (x86)\RealArcade\Installer\bin\bstrapInstall.exe
      "C:\Program Files (x86)\RealArcade\Installer\bin\bstrapInstall.exe" sfx:"C:\Users\Admin\AppData\Local\Temp\63b73406348cbf686aab2d219555ff9c.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s .\bin\InstallerDlg.dll
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2236
    - - C:\Program Files (x86)\RealArcade\Installer\bin\gameinstaller.exe
        
        .\bin\gameinstaller.exe installerMain.clf "sfx:C:\Users\Admin\AppData\Local\Temp\63b73406348cbf686aab2d219555ff9c.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s "bin\GCHROME.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallChrome.clf

Filesize
1KB

MD5
9c3a2bf9190a2af36f58a2bb01aaf6cf

SHA1
1cdba6f58a902749296c328d1649ccf68c461fe6

SHA256
fbe15fe74c760bcec56153ba382f2871e35015e75eefdf62569ff841159790f4

SHA512
0e16e295f5a0f036feab6cacabc7252024e8ccbdd38a180185336ae8377e6dc93b2a1c52505124d4a617e657e4e6221d0cc0115c29eda9470629070dfb3c4339

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallComcastGamesToolbar.clf

Filesize
1KB

MD5
b047d29436a53a4ee2acdae3c97cea30

SHA1
31a46a5a344144ed5845bb629d1802cfa2b0903a

SHA256
aaebc806285499bd1615eaef7cf1d16ff879630add7665684246abaabdfc55b5

SHA512
4a804e188c0d3bdb4ce0e74440813e0c9d58c4dc48772010d0354b92bcbae20947b995691f84e39cb675c9f17516f7329954aba2b635e65b12eb29cf8f162f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallGoogleToolbar.clf

Filesize
1KB

MD5
0fd8abbff5ea6384a44b7ac4f2f62cfa

SHA1
fad0a8a61436f0948f3d795a717a3f7b5bc19312

SHA256
40ea9b4b96ecd5c4101b09ef6f3205e084d27eb374085aebcc71b7c1d673feaf

SHA512
af6f3c47c8e105a21b83a155c799bc5a02a698b44baab256374493467aad3a14e59c6a5e0e01b9f35899a3c612fafaa5b252c92d1d2283088fe9b383cc7856aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallTwcDesktopWeather.clf

Filesize
1KB

MD5
22be30c1e6c61cf7031dbea80f497cac

SHA1
86641adee18c37b170a5824cf9c1d136c37e914e

SHA256
db16505e706a0d1d2146faf0549ae0e309fe4b256fbc87587337c272a6ec133f

SHA512
a61b04bd65dece724c41ae7b02c5e15ed9f0f9fbc0c7802937e86408faf281b22cbc99a0063a9b2e1c1babb6f3f3321f7efff698a7bc87839ffa35ba3972812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\spinner.gif

Filesize
23KB

MD5
1753b06c89c1017ba98183a0a1059f15

SHA1
1c0f68a64b07bcf50a236f3d47fd4f095f8b3230

SHA256
a648c33311c4788ef2f45d967bab7da798a4b39fc6500ec0b15856f43c7e7940

SHA512
e71a675c6444a83f2169bb04b65affb9c7d5d741b26d601a6cc8364b2f05637365700e362225890ef4004669edf7ebf0361eb706b3dcba68c4fe72c252efcc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\wait.html

Filesize
4KB

MD5
fa4e3f74d4eaa462015ae04212cad2bd

SHA1
781322a9ea3fdc76141280f00d58225448a16396

SHA256
75ec86ca2f5108bb9f112b8020ed86e3763a7b9bf27cb149b09fe07b3d6b692e

SHA512
36ea4ae4a1b2498423fa44cfe1c51cffb0079c537ce748eb31a5364edaf566d69bb3f5e9c67b4c67ca175ae23ca3b691ad8a4693220feae974ea1eaf3af4d939

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waitProc.html

Filesize
4KB

MD5
7bd3cd208c5ae618c93961f35e4d5618

SHA1
b0d2be77c23f361dc4e06ea08a7992729314bf8d

SHA256
237e3971eb4f282b275067cfa20e3ff18a424cb23d455a00473bc3563ecaee1c

SHA512
0c386b539438e546ed0c33b1c20b1cb812b1706c9d07ec70d458ee241ebaa2df9dbca22677c65d054509f6f73ae43f514c3099c99aa90630f03d3271a85fac71

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waiting_bar.gif

Filesize
10KB

MD5
235cf132a3a841ba9636fb8234950810

SHA1
cf2782d25ac43afe7bd4b658cc65131a3f881254

SHA256
56f3be79dc14be995ae9fe072465fa397cdd955bbe2df4e3b11cbf8a41a7516b

SHA512
ef1b0da04caeb834352871fac10b9c42934d2dd47ecbecc588d4ca66082463ad9c671c34292701daf99787ef98a462d03d6f7acffbb372fcaaac61da39874e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waiting_to_install.gif

Filesize
7KB

MD5
fa668d6180a0e4c7bd1c48fa8c436cc3

SHA1
f231664e1ccfd11f4c04877be5760e1dc434fad8

SHA256
29d26eec015fb6df7276804f12c2cfff8d868d0c6ef25b2bea0cd16c16113d5a

SHA512
df149a053a94f715eec766f520bbba5435ebab06378869c345132a997267f4bd80f0372e754fd63240c2a5b816c63f8804f3e6822f726c843d51224d52aeb5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waiting_to_install2.gif

Filesize
4KB

MD5
41ac94bebb4b7e418d9bb2609393d83a

SHA1
118182c3d7eb070e2c064083b706371bea7f912a

SHA256
6de28addd1b88ba2b740ea21865d6d0655711fb8d2435f24327d7dc3e19f62e0

SHA512
b526c67b00f8c8e69698a432560aeaa5e22fee96e58b27ee4888909f35fef2567aff9e0d69287ffa7a0bb3eb2fedcdd3e59ff4acd53fa78bc4fb1f687813e56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\GCHROME.dll

Filesize
61KB

MD5
aea60fb24a29cad1350555687a53abe6

SHA1
9156b70107fef86243912350e544065dfd8c26b1

SHA256
3615e626072d7247fb6aa3db319c1813be32f72509975a2815078241e37d446a

SHA512
dd830b8d96b0c2f27cbd212d091377f04092c682de48bcc2c77900efe6dedbcb57ab6b0092065eb2ad4dc087a9426736587b7b978515a31ea047a49d1760a0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\InstallerDlg.dll

Filesize
378KB

MD5
81c1296895eadc1ef5c9a713a84247be

SHA1
4f0aa7e0d0808b22321c970136b78cc2b81dae2e

SHA256
f609ba4947259383fc6a0fb916e53b982be5ddd2dc9d9e0813afa695739e7ce3

SHA512
a91bffc910a7f32feb11250e79a51b80777b3746c7b0b63c64fbb55661c7d59f114d31c90acf7fc8ff5eeffa8b790502b68eaee86809ef31446b47f583885a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\OCSetupHlp.dll

Filesize
750KB

MD5
4ec193b95cc7fa7efc42f3ae24858f5c

SHA1
36ae6eb2622b267d6af41dafed394d278fccfcbe

SHA256
4a86f52c20347c3efe24812d35ad8feab6be8832b1f66f4e932bf19a3ceefe23

SHA512
269ab8d928e9f18a7b32e9d980766f34331cbdcc172ba04d4ccedd041e9d8ca0a73f782ed3d699416b4bd5e87cd96328a053db7b0d874b7849ca8241d07865cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\RAInstallerPaths.dll

Filesize
50KB

MD5
afb288a8d5c428b5c78d9516c5936a0f

SHA1
32e88ca94a85cc20f33aa2ecf53ea73233e6dc63

SHA256
31a0b4389164b272d2655929c0e68ed8e5c477c5d6c8879b5b3c751688784d24

SHA512
dc8c3e762b329cae473cdb6fea8b7e288ba5768c5f1fb6b7176758f5ae5f93c3f674aed64688846869814632be7317332c12cd561d34dd4cdff1e40f6c00903f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\ServerTransaction.dll

Filesize
96KB

MD5
696de80d5aad7ad89540bc1145ae0392

SHA1
320239f21cbc407a773e69fe9ba0cbccc6f4e5ce

SHA256
27f8ed354b181eee30b771f711fbfcb3c7fb6043a3cceac071f62fb942407b7f

SHA512
5d84babd97af696cda2b77f7c9dcff700ef5ee0f5fccb1745e75305aed9a3c65538fe4a4133aa27e8b8b9661179e1c2feda2e03cf5137b33cd50f0bd5fe54a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\UnRar.exe

Filesize
240KB

MD5
49710e363e4c247716508672f909d5ba

SHA1
74538e7a6515166fd6e83b9c72ee28e529e462e8

SHA256
cffd9238edb8484c2831508505e81a733f5074ba002f98e573dbdb7118c687ad

SHA512
e863b4bcb332a552d73a9dc2e41a4e86a4b528cd46991d3489c129ff46973778f65fac73051bd4a6d33e5c15b1154bc761bda376a767f48a3cc1d9391ada700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gameinstaller.exe

Filesize
97KB

MD5
86963636ae5ef9941c8915770cd52ded

SHA1
155be159cf8b1bd70377ebe4c476f6815841f669

SHA256
548ddd8530dbd86dae772957e6ac6285fd1896f3b567551407b10545c127014a

SHA512
677fe1a1224b8c337ee8196d79ba9a234a3533a8f037c8da3f78a655897f221a238e2cfddffd51d5552d5cf5c138b493af4625a0fd1074f53d28d97f19be983c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gcapi_dll.dll

Filesize
62KB

MD5
a689eb4192ac28683b18c4e81b32559a

SHA1
aa436608c0e1a1a21153346a046ff00ee60aff1d

SHA256
cb81506dcb4de19a8c300ee010061845a7f20448c2387ae845f2d2099b54c981

SHA512
992c8f6e441e096c5def826c5665469b89642b0fc9a381f2cf63a98eb08bd58e4186a3a615078cd2775b78240f519c27501f46dea40e9b8b82b6d91b95d5ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gtapi_signed.dll

Filesize
71KB

MD5
7950e8dcc2cc61cd975c4c7e0c518b02

SHA1
19be847844e2402988272f004b5bb5365aeec1c3

SHA256
be251267d1070de814f09e8ed9ad6e57ed2cee0f9c4ad0203cfae21bbe3f6390

SHA512
f3d38d10ed9a8365d4632bff63115b0b7134a77e0150b745e5e6b93cb03c8a74978a3188ec1346aba43815afeec6f9202492731f9df2bb28a7ae053ab2d8c13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gtbCom.dll

Filesize
60KB

MD5
654cb86e988ed8dde523aacc210d621f

SHA1
385b0f856d323b6eaa56063ab08349e63baebaf9

SHA256
6d01d56e02cfc79435c5e7a444fffddfc46b0040916c481df9cb7f828885700e

SHA512
8e8984c9613f439ca63ae2eef2cf7392e38af66eddbd360d30e2a47f0dcf766ec1de458949fb226d554cdd9f9409f05b7ba4e085c0356850c46422e719990fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\lua50.dll

Filesize
92KB

MD5
913973aad1d92e274b0691ca15a3d78f

SHA1
a00ae78ce78d5f3d9834579a0f2e456c2a3be863

SHA256
eb55fdbc8a12ddc41d281964068c2369981da0a9d7459283ab875178b9fd49fc

SHA512
068978f3f3a92a61578f140b50a6174c4e76a4046ec0ac55b6511c3270005f3a5d8e715c66f97cdee4846978ca0d21e3315c68faefd8040bac19efcbcda03b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\luacom.dll

Filesize
136KB

MD5
3cd7899d4638fed3d474c506f4557d72

SHA1
f1497894bbc1a2bcb8f217ccf9b05c139afaee30

SHA256
74c0412a8f39d399a9731299affb2622749ea48960f80c72bcb6c0442d196cb5

SHA512
70f35d10bd9a54602597d6b0a6fe900a8f2b169b88c541348c50fadbee88492daf87b4df1e6119ce56211693b32b25dd44e7cc7cae6f8ef44b88baea9547c628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\blank.html

Filesize
766B

MD5
e5fc626ab40084b54fe291b2a9ee741c

SHA1
59ecebfdf9e38181ed2f0fc604ac66e453385f06

SHA256
1cec7c791db1c78c8af588304b303c3b05b0ee48017d4d86e4a1619f6b6a2ecf

SHA512
3bb84e10d8771b5f3ba3ba848964d8d6ab4e87a925b59eb403212ef4dc688970bf7c3cd712d46ba3c85019f2ae56ba1a473b3ca69b9b137b04267469f74b91fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\blob

Filesize
212KB

MD5
a9c58aa8c3984278773ad0938ef843f1

SHA1
25255e39db6abc093b14b8c38db40cdcdced08c5

SHA256
4998efda0234a95958e0bc71cb4fb61a8b0338b9c229b014968d95821cfef963

SHA512
cbc3ea2975375cc328da31c0f40b9c8bdef0bbb5e5a6eb1fc30b8dde3da63fb1b0fcf141e40241e8ef174fc2e5e1ded1e024f5c995a5cd8bad8719bb870ac732

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\compat-5.1.lua

Filesize
5KB

MD5
199607e50cd446a1f24249397568f814

SHA1
c22bcdd7f1628681e8aa93d0b4d801e00bbb2ee4

SHA256
86bc8a577082f61a89e235c9251abcc80333a204c494d60dc9b3245d118da08d

SHA512
d030810e77c9974a64e2a38ed9cf13fa9ba453db6cd41c4454c8ecd8c6fea00dabc54bf909d677b2b10c85daf004e5272079d26c4b223b80ee46773de531a28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.lua

Filesize
1KB

MD5
3d50bde7837aa5baa129dbb5f5cd2fd2

SHA1
14e250f5c714ae301174919c5a172be7d4a13f77

SHA256
9fdec654ec2dcc8b4cecab74a07086eb6130f3325c3b1213abcfdca7be9e7f0f

SHA512
1d4a315b16c4d0764e1fe78defb4e6f09f44eea25957bc3e83dc164cbe31cdd665e3cb4bc3da700dfec6c9e924b27d87ccd416678c3d45333f96568935fad722

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installerMain.clf

Filesize
46KB

MD5
fd1ac128972dbfce93db093af9b8c981

SHA1
c33cd93ba6ae40dc903cfe4e26bad35b14dbdd9d

SHA256
d58bf45331361a44595aeffbb2a8a4d0ab938e99b725a505057ba2df47b8aa64

SHA512
09f50176bf6bda552edb4a167dad3354cbe48d9c0e702f5388bc4555b88c538f6ca889825f4a41b80dfc032c87cbac93db31f4a0f0bdc233ad177fecf506f442

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrClean.clf

Filesize
3KB

MD5
501207c36c628580e78d32366175546f

SHA1
df2d6d6e0975c8c6ba96f6555399a9f6f8625e0e

SHA256
a7d6d4ad877d91744a6f345dda421bd9467da04d369c26d65b8b4945bb9ea029

SHA512
d0aea03e1173f2d3b40f0a3a56ed608405b53d688e0e85d669e7bf0be87e40946af619edbbff8dff7d5042b292e643bbd10bb59bb58806836a1ab43ab31fbd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\http.lua

Filesize
11KB

MD5
726309c05a4658fb8e8608ecbe5eb4aa

SHA1
5587c6eb9de86183718a05b973e1fde0f6407ddd

SHA256
c3b9c340f1cd2255eb7bd54372df7383e6b7bb644db24a9c5f59efafb4e0d483

SHA512
a4730dab6023d1978960a2bbcba7d7e73609f20164112da483b6382ad97f4b4613f42d7a9c0bdb46abffe7bc48583eaa9590c58e647f75a5b2a2290d0ca5700a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\ltn12.lua

Filesize
8KB

MD5
2ce994424bc66a99d3fe29dc87cda481

SHA1
26339be6ca6cfb7b9c0725801643945d489fce37

SHA256
4c91fc1bd2871c53c9b4d3e7293f0a7ffd12c477e5721eab80aac871e3e22f85

SHA512
495a7ec3e95b4cc55b645169e12d81860171efb5fcbec6ebf94f2c2847da6cc4dd17624610b7c777dd5e65296da6e296ebcf627cf7fc231b39f6dd68d3bfa117

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\mime.lua

Filesize
2KB

MD5
c7cc9ea4f6038095c45995a95da66d0f

SHA1
84911c0e24238f218019a0b280c1408a42cc609f

SHA256
3fe83f8e918c874dae8331653b59ca88891a9c1a8005b7e2eb40e980b0933ea5

SHA512
21a5e56e0ff1ef3552d3f13be45f56a06830a9b6b5e33888c6554ba24e6b4be69f7e32a199e0e3f50f3e20465c2b6c2cbdf97129dbd1362e2791c5bf8ef2e67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\mime\core.dll

Filesize
24KB

MD5
8eb923b32f76b4aa1c324c0764a6bd95

SHA1
e15d2d5c065c689d2f107e0381645339a2baefbc

SHA256
87cb3cdad3b854598386350d1c169f93996c74ba45f1394d843e07780b5d79e8

SHA512
494861bb8a55af17396bc5b62b62a2cd94658702a04544b8ed31f2d608ca6fa23fc7ed449c2eff136c9a4a86d69d3af4bfab8ba2db35664616813ff082fad4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\socket.lua

Filesize
4KB

MD5
7f689483b773e1b8cf3f1e7ecf39691a

SHA1
9da5f292d6b59404b48e5a0b36bdf15a26c4738a

SHA256
2ee5259b65c4493c3b49dac2cb1894753b67dffc65ce4ce5830e6ecc802e47b9

SHA512
97a22a1d4dc3435c9d920b3d2b1b4cf9c60efe4297961b9f15c23612d899349bc7f4b7279243a1851d139545c3813a0e730f275b390cee496e6930769213cefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\socket\core.dll

Filesize
36KB

MD5
fc3c96670e67eff3a9064fcbf9398b6e

SHA1
a3c89ecd29745fa34cac76bc3773cd3c5018c2ef

SHA256
e4ede13a74a2eb38397dcf8bd1794f2231ee6fb4abf5e9df76af65f945700978

SHA512
12113c136c9316fc7d68ce90c02a52540e208af6e8ede2c46da301dc55e17c3b933c959541c0e3068ed3c00d08bee183a56b524dedb395137d48dc144331225b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\url.lua

Filesize
10KB

MD5
d26c368bd8f0062de33367337d705c58

SHA1
f4586e48bf73afb204b6c2dba2701ec013594ac3

SHA256
0b5703fbeaa8f7036d1bf91a90241cf23586850c571e4cf7cdbb78fb6b824157

SHA512
b85ecdc7acd93d5a34b20f5f50ffade7344f29023bf86a051f22e2b12fb296a433565e8274c10ebead8a920a4eedd51e362d4e787c1632bc33736456213c07db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wait.html

Filesize
4KB

MD5
92abf04b349c2bce1a9a7d7379a14549

SHA1
9c7878852fadea519276259d3d2ba0efa97b6b1d

SHA256
733cb323915353bd4a98853746caa22f9cc929bc32eb298590ab7adcbf69ee51

SHA512
7bccdaa881e2bee000126fd5c333e4aba71eeb37a35499de1b7c64352eed6d5634ede7b715306253a465f88734795bbb77f68b4efb35b3efa474491cfd6ba10d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapinstall.exe

Filesize
38KB

MD5
4aadf09c55ea12e37123d3c697a3f84b

SHA1
dd6562b65ac52d611eac8bb4180feff918326db6

SHA256
94897cddb94bd3fa59d2cb3f3ec73131ce4db5305910571ec9fad90cbc4ae91e

SHA512
644e9bbdcfa1cf1c3f4aeecd7dcc9c48e4154ec2c560154f82ed59c64c918a50bde73f048062393b2a4b50e0e094ea481b0e8f1292c87ce3c4c475f8e7b913c8

Download Submit
memory/1416-279-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/1656-146-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/1656-154-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download