783025643a7ab680ac2529d00c282a4989f1d43362bc0047b74e4537d2e28d91

Analysis

max time kernel
126s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b73406348cbf686aab2d219555ff9c.exe
Size

1.2MB
MD5

63b73406348cbf686aab2d219555ff9c
SHA1

8a6d3aa41e0b0c68528d8abda47703f66acb6ede
SHA256

783025643a7ab680ac2529d00c282a4989f1d43362bc0047b74e4537d2e28d91
SHA512

9e22792aa5fee8ed50d6388f4fe4979b867fc9753a8b564ad47579ab4bdee79c1824a6ecf1fd5ae8d7358bc013d3a715c155e052d2da8cb079bc89f7d7a89f94
SSDEEP

24576:Butr5OUs/ifYhM1Ta+kgE5c1pzLVa5LPxhHhaMV2PeY3dJi4FXkj:BuXOifEM1FkZ+zpa9Px+Mgn3fi4F0j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	63b73406348cbf686aab2d219555ff9c.exe

Executes dropped EXE 2 IoCs

pid	Process
4416	bstrapInstall.exe
3436	gameinstaller.exe

Loads dropped DLL 12 IoCs

pid	Process
224	regsvr32.exe
224	regsvr32.exe
224	regsvr32.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\VersionIndependentProgID\ = "StubbyUtil.ShellCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7E480B1-78D1-4D43-8B94-0D32DD109899}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29F023B2-B05F-4613-A60F-2A0094DF3017}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr.1\CLSID\ = "{5818813E-D53D-47A5-ABBB-37E2A07056B5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5609BFB-AC99-4F0C-AA90-5BA58C1E382E}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\bin\\InstallerDlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7E480B1-78D1-4D43-8B94-0D32DD109899}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7E480B1-78D1-4D43-8B94-0D32DD109899}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48D11E12-E33E-40A7-A78D-2EAFD88906DC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D60A064-2009-4623-8FC1-F99CAC01037E}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{748744E8-6812-4F07-9F57-5F40395BDE65}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D60A064-2009-4623-8FC1-F99CAC01037E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12631F96-F37E-4975-81D5-16E871EE557B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\VersionIndependentProgID\ = "InstallerDlg.InstallDlgCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr\CLSID\ = "{5818813E-D53D-47A5-ABBB-37E2A07056B5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D991AAA3-6CEB-47CD-9A34-08E0C9D0959E}\ = "_IProcessMgrEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D991AAA3-6CEB-47CD-9A34-08E0C9D0959E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{748744E8-6812-4F07-9F57-5F40395BDE65}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12631F96-F37E-4975-81D5-16E871EE557B}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D60A064-2009-4623-8FC1-F99CAC01037E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess.1\ = "CRegAccess Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.CookieCtl\CurVer\ = "StubbyUtil.CookieCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D60A064-2009-4623-8FC1-F99CAC01037E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl\CurVer\ = "RACInstaller.StateCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.CookieCtl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D11E12-E33E-40A7-A78D-2EAFD88906DC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InstallerDlg.InstallDlgCtl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\ = "CShellCtl Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\VersionIndependentProgID\ = "RACInstaller.StateCtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\bin\\InstallerDlg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D11E12-E33E-40A7-A78D-2EAFD88906DC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\bin\\InstallerDlg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\ = "CRegAccess Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\ProgID\ = "StubbyUtil.RegAccess.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D991AAA3-6CEB-47CD-9A34-08E0C9D0959E}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe
3436	gameinstaller.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	448	63b73406348cbf686aab2d219555ff9c.exe
Token: SeRestorePrivilege	448	63b73406348cbf686aab2d219555ff9c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3436	gameinstaller.exe
3436	gameinstaller.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4416	448	63b73406348cbf686aab2d219555ff9c.exe	90
PID 448 wrote to memory of 4416	448	63b73406348cbf686aab2d219555ff9c.exe	90
PID 448 wrote to memory of 4416	448	63b73406348cbf686aab2d219555ff9c.exe	90
PID 4416 wrote to memory of 224	4416	bstrapInstall.exe	91
PID 4416 wrote to memory of 224	4416	bstrapInstall.exe	91
PID 4416 wrote to memory of 224	4416	bstrapInstall.exe	91
PID 4416 wrote to memory of 3436	4416	bstrapInstall.exe	92
PID 4416 wrote to memory of 3436	4416	bstrapInstall.exe	92
PID 4416 wrote to memory of 3436	4416	bstrapInstall.exe	92

C:\Users\Admin\AppData\Local\Temp\63b73406348cbf686aab2d219555ff9c.exe
"C:\Users\Admin\AppData\Local\Temp\63b73406348cbf686aab2d219555ff9c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapInstall.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32 /s .\bin\InstallerDlg.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gameinstaller.exe
    .\bin\gameinstaller.exe installerMain.clf
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\spinner.gif

Filesize
23KB

MD5
1753b06c89c1017ba98183a0a1059f15

SHA1
1c0f68a64b07bcf50a236f3d47fd4f095f8b3230

SHA256
a648c33311c4788ef2f45d967bab7da798a4b39fc6500ec0b15856f43c7e7940

SHA512
e71a675c6444a83f2169bb04b65affb9c7d5d741b26d601a6cc8364b2f05637365700e362225890ef4004669edf7ebf0361eb706b3dcba68c4fe72c252efcc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waitProc.html

Filesize
4KB

MD5
7bd3cd208c5ae618c93961f35e4d5618

SHA1
b0d2be77c23f361dc4e06ea08a7992729314bf8d

SHA256
237e3971eb4f282b275067cfa20e3ff18a424cb23d455a00473bc3563ecaee1c

SHA512
0c386b539438e546ed0c33b1c20b1cb812b1706c9d07ec70d458ee241ebaa2df9dbca22677c65d054509f6f73ae43f514c3099c99aa90630f03d3271a85fac71

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waiting_bar.gif

Filesize
10KB

MD5
235cf132a3a841ba9636fb8234950810

SHA1
cf2782d25ac43afe7bd4b658cc65131a3f881254

SHA256
56f3be79dc14be995ae9fe072465fa397cdd955bbe2df4e3b11cbf8a41a7516b

SHA512
ef1b0da04caeb834352871fac10b9c42934d2dd47ecbecc588d4ca66082463ad9c671c34292701daf99787ef98a462d03d6f7acffbb372fcaaac61da39874e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waiting_to_install.gif

Filesize
7KB

MD5
fa668d6180a0e4c7bd1c48fa8c436cc3

SHA1
f231664e1ccfd11f4c04877be5760e1dc434fad8

SHA256
29d26eec015fb6df7276804f12c2cfff8d868d0c6ef25b2bea0cd16c16113d5a

SHA512
df149a053a94f715eec766f520bbba5435ebab06378869c345132a997267f4bd80f0372e754fd63240c2a5b816c63f8804f3e6822f726c843d51224d52aeb5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resources\zylom\waiting_to_install2.gif

Filesize
4KB

MD5
41ac94bebb4b7e418d9bb2609393d83a

SHA1
118182c3d7eb070e2c064083b706371bea7f912a

SHA256
6de28addd1b88ba2b740ea21865d6d0655711fb8d2435f24327d7dc3e19f62e0

SHA512
b526c67b00f8c8e69698a432560aeaa5e22fee96e58b27ee4888909f35fef2567aff9e0d69287ffa7a0bb3eb2fedcdd3e59ff4acd53fa78bc4fb1f687813e56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\InstallerDlg.dll

Filesize
378KB

MD5
81c1296895eadc1ef5c9a713a84247be

SHA1
4f0aa7e0d0808b22321c970136b78cc2b81dae2e

SHA256
f609ba4947259383fc6a0fb916e53b982be5ddd2dc9d9e0813afa695739e7ce3

SHA512
a91bffc910a7f32feb11250e79a51b80777b3746c7b0b63c64fbb55661c7d59f114d31c90acf7fc8ff5eeffa8b790502b68eaee86809ef31446b47f583885a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\RAInstallerPaths.dll

Filesize
50KB

MD5
afb288a8d5c428b5c78d9516c5936a0f

SHA1
32e88ca94a85cc20f33aa2ecf53ea73233e6dc63

SHA256
31a0b4389164b272d2655929c0e68ed8e5c477c5d6c8879b5b3c751688784d24

SHA512
dc8c3e762b329cae473cdb6fea8b7e288ba5768c5f1fb6b7176758f5ae5f93c3f674aed64688846869814632be7317332c12cd561d34dd4cdff1e40f6c00903f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapInstall.exe

Filesize
1KB

MD5
e654b93fefc7678a0301022f1a9e0b2d

SHA1
8e1bd1e140894dccf452b223b53f52c8b9835382

SHA256
191612c586937dd79427b3ed93304fb3985a744358e30b99dbe28083611832c3

SHA512
0dfbd6e0dcefb42695d574697d746a8c1322094a6768ff567f62831cd16ff9ed3f272e2a1ab7bcd8a9a3087dfc0f2ead61e4f3a2db9fa4e1e9ab4bb8f68c51e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapinstall.exe

Filesize
38KB

MD5
4aadf09c55ea12e37123d3c697a3f84b

SHA1
dd6562b65ac52d611eac8bb4180feff918326db6

SHA256
94897cddb94bd3fa59d2cb3f3ec73131ce4db5305910571ec9fad90cbc4ae91e

SHA512
644e9bbdcfa1cf1c3f4aeecd7dcc9c48e4154ec2c560154f82ed59c64c918a50bde73f048062393b2a4b50e0e094ea481b0e8f1292c87ce3c4c475f8e7b913c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gameinstaller.exe

Filesize
97KB

MD5
86963636ae5ef9941c8915770cd52ded

SHA1
155be159cf8b1bd70377ebe4c476f6815841f669

SHA256
548ddd8530dbd86dae772957e6ac6285fd1896f3b567551407b10545c127014a

SHA512
677fe1a1224b8c337ee8196d79ba9a234a3533a8f037c8da3f78a655897f221a238e2cfddffd51d5552d5cf5c138b493af4625a0fd1074f53d28d97f19be983c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\lua50.dll

Filesize
92KB

MD5
913973aad1d92e274b0691ca15a3d78f

SHA1
a00ae78ce78d5f3d9834579a0f2e456c2a3be863

SHA256
eb55fdbc8a12ddc41d281964068c2369981da0a9d7459283ab875178b9fd49fc

SHA512
068978f3f3a92a61578f140b50a6174c4e76a4046ec0ac55b6511c3270005f3a5d8e715c66f97cdee4846978ca0d21e3315c68faefd8040bac19efcbcda03b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\luacom.dll

Filesize
136KB

MD5
3cd7899d4638fed3d474c506f4557d72

SHA1
f1497894bbc1a2bcb8f217ccf9b05c139afaee30

SHA256
74c0412a8f39d399a9731299affb2622749ea48960f80c72bcb6c0442d196cb5

SHA512
70f35d10bd9a54602597d6b0a6fe900a8f2b169b88c541348c50fadbee88492daf87b4df1e6119ce56211693b32b25dd44e7cc7cae6f8ef44b88baea9547c628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\blob

Filesize
212KB

MD5
a9c58aa8c3984278773ad0938ef843f1

SHA1
25255e39db6abc093b14b8c38db40cdcdced08c5

SHA256
4998efda0234a95958e0bc71cb4fb61a8b0338b9c229b014968d95821cfef963

SHA512
cbc3ea2975375cc328da31c0f40b9c8bdef0bbb5e5a6eb1fc30b8dde3da63fb1b0fcf141e40241e8ef174fc2e5e1ded1e024f5c995a5cd8bad8719bb870ac732

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\compat-5.1.lua

Filesize
5KB

MD5
199607e50cd446a1f24249397568f814

SHA1
c22bcdd7f1628681e8aa93d0b4d801e00bbb2ee4

SHA256
86bc8a577082f61a89e235c9251abcc80333a204c494d60dc9b3245d118da08d

SHA512
d030810e77c9974a64e2a38ed9cf13fa9ba453db6cd41c4454c8ecd8c6fea00dabc54bf909d677b2b10c85daf004e5272079d26c4b223b80ee46773de531a28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.lua

Filesize
1KB

MD5
3d50bde7837aa5baa129dbb5f5cd2fd2

SHA1
14e250f5c714ae301174919c5a172be7d4a13f77

SHA256
9fdec654ec2dcc8b4cecab74a07086eb6130f3325c3b1213abcfdca7be9e7f0f

SHA512
1d4a315b16c4d0764e1fe78defb4e6f09f44eea25957bc3e83dc164cbe31cdd665e3cb4bc3da700dfec6c9e924b27d87ccd416678c3d45333f96568935fad722

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installerMain.clf

Filesize
46KB

MD5
fd1ac128972dbfce93db093af9b8c981

SHA1
c33cd93ba6ae40dc903cfe4e26bad35b14dbdd9d

SHA256
d58bf45331361a44595aeffbb2a8a4d0ab938e99b725a505057ba2df47b8aa64

SHA512
09f50176bf6bda552edb4a167dad3354cbe48d9c0e702f5388bc4555b88c538f6ca889825f4a41b80dfc032c87cbac93db31f4a0f0bdc233ad177fecf506f442

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\socket.lua

Filesize
4KB

MD5
7f689483b773e1b8cf3f1e7ecf39691a

SHA1
9da5f292d6b59404b48e5a0b36bdf15a26c4738a

SHA256
2ee5259b65c4493c3b49dac2cb1894753b67dffc65ce4ce5830e6ecc802e47b9

SHA512
97a22a1d4dc3435c9d920b3d2b1b4cf9c60efe4297961b9f15c23612d899349bc7f4b7279243a1851d139545c3813a0e730f275b390cee496e6930769213cefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\socket\core.dll

Filesize
36KB

MD5
fc3c96670e67eff3a9064fcbf9398b6e

SHA1
a3c89ecd29745fa34cac76bc3773cd3c5018c2ef

SHA256
e4ede13a74a2eb38397dcf8bd1794f2231ee6fb4abf5e9df76af65f945700978

SHA512
12113c136c9316fc7d68ce90c02a52540e208af6e8ede2c46da301dc55e17c3b933c959541c0e3068ed3c00d08bee183a56b524dedb395137d48dc144331225b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\socket\core.dll

Filesize
31KB

MD5
97418da898f77358ce620e3e5a433d26

SHA1
578e34fc70fe41988db59bb0535bcfefe4e7adab

SHA256
e631eae47023c1bbe504e4e82e3baeb5549ff65fa9957574e5591f38a5048afd

SHA512
c3fb153bc37f3c9fa5d9c3f34b13ecc504fe7d385c477cb2965eefa56a1355ea631b37bec3e140be8fcc8c7072cc2d3f957eb33fd989a18d8b35c1fd48d8c65a

Download Submit
memory/3436-152-0x0000000002F00000-0x0000000002F0A000-memory.dmp

Filesize
40KB

Download
memory/3436-143-0x00000000007D0000-0x00000000007F4000-memory.dmp

Filesize
144KB

Download