a4483fc2d8cc6f8dc08b9251895bbaa3177e485c6e2318bb1f603694ebecafea

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Palworld 0.1.3.0 Hotfix to 0.1.4.0.rar
Size

146.1MB
MD5

a6b013f2b90d70092c44b9f8f3803a5d
SHA1

b2669400d75b00cec691a06b597ebb7b086ad808
SHA256

a4483fc2d8cc6f8dc08b9251895bbaa3177e485c6e2318bb1f603694ebecafea
SHA512

9714ba8ddd3ab8fd76f4637e805133c0e8456b4a87c19289ac5a91f0da4da95b026ee7fb0662e4a992f2542b7859e11ee9b6de6baad0b4f5ea740d0c4debb67f
SSDEEP

3145728:+ojCLiaWvhBPdI6/TE2f0kCjhHDdwV6eRIgNRz6E9zfByir8adJR9Ya:0rWDPdNbT0pjhH5wVd7Rz/9lyi9Jwa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3472	Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Loads dropped DLL 8 IoCs

pid	Process
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3500	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4724	mspaint.exe
4724	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3960	7zFM.exe
3500	vlc.exe
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3960	7zFM.exe
Token: 35	3960	7zFM.exe
Token: SeSecurityPrivilege	3960	7zFM.exe
Token: 33	4788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4788	AUDIODG.EXE
Token: SeDebugPrivilege	3440	firefox.exe
Token: SeDebugPrivilege	3440	firefox.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
3960	7zFM.exe
3960	7zFM.exe
3960	7zFM.exe
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
5088	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
3500	vlc.exe
3500	vlc.exe
3500	vlc.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
3500	vlc.exe
3500	vlc.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4724	mspaint.exe
4724	mspaint.exe
4724	mspaint.exe
4724	mspaint.exe
3500	vlc.exe
3440	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 3960	2900	cmd.exe	86
PID 2900 wrote to memory of 3960	2900	cmd.exe	86
PID 3960 wrote to memory of 3472	3960	7zFM.exe	88
PID 3960 wrote to memory of 3472	3960	7zFM.exe	88
PID 3960 wrote to memory of 3472	3960	7zFM.exe	88
PID 3472 wrote to memory of 5088	3472	Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe	89
PID 3472 wrote to memory of 5088	3472	Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe	89
PID 3472 wrote to memory of 5088	3472	Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe	89
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3492 wrote to memory of 3440	3492	firefox.exe	106
PID 3440 wrote to memory of 2152	3440	firefox.exe	107
PID 3440 wrote to memory of 2152	3440	firefox.exe	107
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108
PID 3440 wrote to memory of 2544	3440	firefox.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\7zO87F03877\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO87F03877\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\is-APU87.tmp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-APU87.tmp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp" /SL5="$B005E,152626678,176128,C:\Users\Admin\AppData\Local\Temp\7zO87F03877\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      PID:5088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1556

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ExitRestore.emf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3028

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\OutPush.mpv2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.0.311513179\894497602" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22512f48-4949-400b-8313-dbfb9200d8c0} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 1964 21fb54d6458 gpu
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.1.1347373770\2068333819" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11ef006f-1d95-4932-9a26-4676cea3762b} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 2364 21fa8a72558 socket
    3⤵
    - Checks processor information in registry
    PID:2544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.2.31113729\878870853" -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a2decc2-8dd3-4e3f-9f0f-b579eb26c5f9} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 3200 21fb94c9058 tab
    3⤵
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.3.1045800079\542778647" -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4385048a-bb3f-4685-8147-5c741a1a0988} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 3612 21fba253c58 tab
    3⤵
    PID:4092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.4.722680212\1273489673" -childID 3 -isForBrowser -prefsHandle 1696 -prefMapHandle 1692 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c851e52-bec9-45bb-98d7-479c100306ad} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 4008 21fba5abb58 tab
    3⤵
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.7.1482760784\425015657" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4de2001-c8e7-46ba-833a-d2472663f3f2} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 5280 21fbbfbdb58 tab
    3⤵
    PID:4920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.6.1855018186\1998395618" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfa4a39a-8bcb-49dd-b5c6-f634593d3687} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 5296 21fbb9f8b58 tab
    3⤵
    PID:4992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.5.278971671\1883712954" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd7179b4-2d57-44f1-89c1-4325a6c4c5f5} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 5164 21fbb9fa658 tab
    3⤵
    PID:1856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.8.53344384\585563170" -childID 7 -isForBrowser -prefsHandle 6068 -prefMapHandle 6072 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {692a2789-0f0c-4293-a4d4-06bac47a07d8} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 6052 21fbda60658 tab
    3⤵
    PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO87F03877\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe

Filesize
13.7MB

MD5
19a3fcb3e7a2c17a76f842ed62f47c2b

SHA1
847d2406b0474af88ff1fa2aa98060cf9ae773b4

SHA256
88bce5f3b9cf213da8786da557f9d3615e92e1b459f9dcc83407ea26ae2e4fd0

SHA512
33a17fcedae4a72c4ed95f2d716df8e27182bb9839726afd6c02ead0b9a9c0a462dec54d0d2e50e3ab770c9c19ad144b6bf3a44365e370620f1ba7489fe7f933

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO87F03877\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe

Filesize
22.9MB

MD5
5da7834fd9fe5ad7a9e883b407cf9409

SHA1
7f2cb9b4de4c1ef0ed55ad0a50fa1a47ca2a2f32

SHA256
cfe9c82b0422bca851da49be30ed4cca1746371ab6828a70f7e760dfc7daef3d

SHA512
da9c6256e988aee7db1e37c0b275ab876d1a1c9c4c83a4f29246b05a463492e2fa1a18aab525a244ed72c8b53c8575d4f3767e8fe6076c5164ac5083ddcd0104

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO87F03877\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe

Filesize
40.3MB

MD5
5c0c0de05d6c17edd907ff0aac6b730e

SHA1
0750c8cfe8ae09578e02421a9a78fd57bc693974

SHA256
766b1c98fdad2a5214ad0e9ecd9b051e13e8e15c7676830d69816c0b8b4b98d4

SHA512
3e009315e753392edbfdffdd1367336b7cd856b4f2fd2617b422e87b16160e2c166a2d73affc85ca48cabec881b3e11fb7df554a23eccc5a3ce6a0ec537268d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TMAJ.tmp\BASS.dll

Filesize
109KB

MD5
36946ab0740fa086bfc8b8a86260eee9

SHA1
57e154464dd247f14ec90de065d7be685dcc1293

SHA256
9ac13f9bc5564fd8a1eab5f7c945dce1c27940dd63a913108eac64481ddde6af

SHA512
51a090119c36f19c8b008d52f1faf76ee1d511e151df777c577cf91da84300a8474d7e17004e3f374434b2d16eb1da3cfaee853e47528f9a1f6fb8bab71ed3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TMAJ.tmp\English.ini

Filesize
20KB

MD5
4fb66af3052a25731d1f9c96bd17a654

SHA1
d6c4fcdb1e5bd644365c52445a91075d4278b81a

SHA256
c15e8ce6fe9cbf5ff30d3002619a55774f8c6198678cf6da26c6768f2a56b6fa

SHA512
4e0ad7aece3b227d658bcaf401195803e5acfbed8e44ae2bc810ff862aacc264fc231585a5833ad587c17c30ea76ba9defed4c6108755462643bccaa28d94832

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TMAJ.tmp\crc32c.dll

Filesize
30KB

MD5
bfca8a245fc3a7fe7a3561aaf687cbba

SHA1
1b4dd6544baf59632198f6c00e48f741325abcff

SHA256
f82e3de7d8d9a400e9d54348909a9ffa64a609d1644161ee40f7ae53c79215ff

SHA512
90c924813a59015475717ce7b0271d503a3e3f365f25a62765e16d612c220b29ab7d665575be206758878f4927a420bf186acfc0cad1472ed4c9a12a44fd835c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TMAJ.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TMAJ.tmp\isproc.dll

Filesize
16KB

MD5
4bafb0739c5fcd96be991f2a3cc9ac2f

SHA1
9372b03e4515660f732bf6338c4d7e183a78d2ee

SHA256
7f74f1c445bf5e9456aae6fae695a8ca60e1d0eb5a2f44ac2cf0239a71f1a8a1

SHA512
095946b16020d52beb25b4037775af8bbf6a7f15b56e260a1bf90af5ccadc11cbcb78c80540f087597a2df6bf5d6b2c8358249aed121ef68e96a302a9fb2ec55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TMAJ.tmp\wintb.dll

Filesize
16KB

MD5
9436df49e08c83bad8ddc906478c2041

SHA1
a4fa6bdd2fe146fda2e78fdbab355797f53b7dce

SHA256
1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435

SHA512
f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APU87.tmp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Filesize
1.2MB

MD5
5cdd44fdc8fb3fc334357c753483fb79

SHA1
884867ca9a35f2132bd29aad209cf4eb29a79abc

SHA256
648ac396838721a39226ab390bce79ab899092c86a72f268e8bf1a0ca5959696

SHA512
35bdad8f629f2c59f19fbec60e906514a737a84bd3668f9cf17720479e98cdaa4eb7232ed05542b46b6fa06342a7f7431cb9acc94c9128960d2aaecf4fb087eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5b110ae62d40d9c4777cda0d836e8fb5

SHA1
d798dd708ca26c3705b7189713f9f27df4b74686

SHA256
da64b64669136067f0e66499fde8ab8cfb6ed4a87c69d4004b32e6717c113b6f

SHA512
414ec5779cb44001a6c3337ca9da98e77f7610dd64ae94ee3c33d1d4841c7a249d45e5036bb30e91cf0d0f7d5fbb45706d1e974fe797c165d54d88765d51804e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\datareporting\glean\pending_pings\2270c897-9c84-48b3-8b2c-6fd9d47eb530

Filesize
11KB

MD5
a6175c18ba6c708e4a77f4f185bc5558

SHA1
66f7031ef1c13c0ddf7d864192cdd05d1314d31c

SHA256
4e65546a95e75ebe10f003e45cb6dc4976285af844628cad6d437613897c97d1

SHA512
4780fcbb1c6e8e303482da1f11efd4b14e45e4fe9f0211370397bcdb64728a2bead6acef79e1abb5bc7baaad3d1d0d3ac055dc7157678744d15dd5880948994e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\datareporting\glean\pending_pings\fd13cff5-e400-4a80-88bd-5756d841ab99

Filesize
746B

MD5
ce3a73502fb2509fef421373811741a1

SHA1
20d7b151e3b3972a3268d78a860e486e2653625c

SHA256
8cb5c876d63c1de39079fbb08569adb60f6a14bd5f6c1b90172a451cd5a41cf3

SHA512
12020eecdd7fc5ef6ca6d6686ef6a0695312c1fef20e85ea69d264ef5cf3d3a21dd9603a62f444c2541ef49277ad3eb0b6e3329f2c821c066d382006b5b4450e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\prefs-1.js

Filesize
6KB

MD5
ba09064a9a29ad810f9578972137a1e1

SHA1
c59df9f0e84e7ac41f83e4bc2e45506df13f85dc

SHA256
f9b17f224c4c7b642400f99a7c56391b2f90d2a8a3f57fa06fb8286a7496df61

SHA512
aa189652ab92f9caf53ab158d4e907c32c5594613f13f9ae92b9f1dc9bd7f2922004fc2bcfdedc2b7c2b70b658eb28ace10e835b789ec4830e826d952dc0a3c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
196576394d1b7b180d85a74846117137

SHA1
92ab3160ccd6b436e5a832d574473160d8617f72

SHA256
c31ae7475ec767cc54b3878a274a3ff710a51393e49897c2febd76ebb0136147

SHA512
27c728994e58717ec1fbff32d3fa0aea6abc1144e2b68432d5ce6b00d16727503cfa3aba6df9e718c1d1c6c215416194993539b8165dd2b3a397fe9fbc6efaed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c0aed993f71578bf0a6a4066f1d166cc

SHA1
d41212752a37452824cfc6d4d0d0e28d6af3291f

SHA256
23e3b26ebbf8f18cc5ee1f4a3df4e1e30788818b1e237892b84ae1d09646100c

SHA512
3191d0d4fa9c4243d0bcb8b479401e8de56fef53b58f8420e6f455c032da2e30e2251dace1eb25e330cb44f023430d37cde9e795c7f2aee312f97d2fd47eec4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
476983a59f53768ead75b7124a204ec3

SHA1
d55deb8e91080ad4c2ae513cf9312c11cb98b012

SHA256
2a4f75b32d892322672bd5c495916ccc53b24edda913178ca612b1f35b79d58b

SHA512
489efbc9c0ebd414278cc1705e31f2a5f00bd9995c7b57fac05f2f5b05cf8934da7465353b8b305cca3de8643ca0a7fb0c7dbd0b04676197379ee5a92b7acb2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3024359e6845086c6ee951c4cce15e2c

SHA1
2158b7c7eed56d7faf835987c429b71ae91f471c

SHA256
0f6071680b5ae73da8aea24fecb3bcb3b8a06f47354bd502b6eaaeab199f0677

SHA512
83aba62ecc9df4eab8ba9389dd820f3b7a9710b7257a6c5cbc5facef64ea2716218f8d83e27a74f59d4ce78a3c03a23c236a0087a7779bdf4b64677f3c232743

Download Submit
memory/3472-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-224-0x00007FF816050000-0x00007FF816071000-memory.dmp

Filesize
132KB

Download
memory/3500-211-0x00007FF8162D0000-0x00007FF816300000-memory.dmp

Filesize
192KB

Download
memory/3500-206-0x00007FF816380000-0x00007FF816391000-memory.dmp

Filesize
68KB

Download
memory/3500-207-0x00007FF816360000-0x00007FF816371000-memory.dmp

Filesize
68KB

Download
memory/3500-208-0x00007FF816340000-0x00007FF81635B000-memory.dmp

Filesize
108KB

Download
memory/3500-210-0x00007FF816300000-0x00007FF816318000-memory.dmp

Filesize
96KB

Download
memory/3500-186-0x00007FF818B10000-0x00007FF818B44000-memory.dmp

Filesize
208KB

Download
memory/3500-185-0x00007FF615BE0000-0x00007FF615CD8000-memory.dmp

Filesize
992KB

Download
memory/3500-187-0x00007FF817780000-0x00007FF817A34000-memory.dmp

Filesize
2.7MB

Download
memory/3500-189-0x00007FF8290B0000-0x00007FF8290C7000-memory.dmp

Filesize
92KB

Download
memory/3500-190-0x00007FF828F40000-0x00007FF828F51000-memory.dmp

Filesize
68KB

Download
memory/3500-191-0x00007FF817760000-0x00007FF817777000-memory.dmp

Filesize
92KB

Download
memory/3500-193-0x00007FF817720000-0x00007FF81773D000-memory.dmp

Filesize
116KB

Download
memory/3500-194-0x00007FF817700000-0x00007FF817711000-memory.dmp

Filesize
68KB

Download
memory/3500-192-0x00007FF817740000-0x00007FF817751000-memory.dmp

Filesize
68KB

Download
memory/3500-195-0x00007FF817500000-0x00007FF817700000-memory.dmp

Filesize
2.0MB

Download
memory/3500-188-0x00007FF82CB60000-0x00007FF82CB78000-memory.dmp

Filesize
96KB

Download
memory/3500-201-0x00007FF816410000-0x00007FF81644F000-memory.dmp

Filesize
252KB

Download
memory/3500-196-0x00007FF816450000-0x00007FF8174FB000-memory.dmp

Filesize
16.7MB

Download
memory/3500-202-0x00007FF8163E0000-0x00007FF816401000-memory.dmp

Filesize
132KB

Download
memory/3500-203-0x00007FF8163C0000-0x00007FF8163D8000-memory.dmp

Filesize
96KB

Download
memory/3500-204-0x00007FF8163A0000-0x00007FF8163B1000-memory.dmp

Filesize
68KB

Download
memory/3500-209-0x00007FF816320000-0x00007FF816331000-memory.dmp

Filesize
68KB

Download
memory/3500-217-0x00007FF816170000-0x00007FF8161C6000-memory.dmp

Filesize
344KB

Download
memory/3500-215-0x00007FF8161F0000-0x00007FF81625F000-memory.dmp

Filesize
444KB

Download
memory/3500-226-0x00007FF816010000-0x00007FF816022000-memory.dmp

Filesize
72KB

Download
memory/3500-225-0x00007FF816030000-0x00007FF816043000-memory.dmp

Filesize
76KB

Download
memory/3500-229-0x00007FF815CE0000-0x00007FF815E92000-memory.dmp

Filesize
1.7MB

Download
memory/3500-228-0x00007FF815EA0000-0x00007FF815ECC000-memory.dmp

Filesize
176KB

Download
memory/3500-227-0x00007FF815ED0000-0x00007FF81600B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-218-0x00007FF816140000-0x00007FF816168000-memory.dmp

Filesize
160KB

Download
memory/3500-223-0x00007FF816080000-0x00007FF816092000-memory.dmp

Filesize
72KB

Download
memory/3500-222-0x00007FF8160A0000-0x00007FF8160B1000-memory.dmp

Filesize
68KB

Download
memory/3500-221-0x00007FF8160C0000-0x00007FF8160E3000-memory.dmp

Filesize
140KB

Download
memory/3500-220-0x00007FF8160F0000-0x00007FF816107000-memory.dmp

Filesize
92KB

Download
memory/3500-219-0x00007FF816110000-0x00007FF816134000-memory.dmp

Filesize
144KB

Download
memory/3500-216-0x00007FF8161D0000-0x00007FF8161E1000-memory.dmp

Filesize
68KB

Download
memory/3500-213-0x00007FF816260000-0x00007FF8162C7000-memory.dmp

Filesize
412KB

Download
memory/5088-72-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/5088-83-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/5088-73-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/5088-74-0x0000000003200000-0x0000000003215000-memory.dmp

Filesize
84KB

Download
memory/5088-76-0x0000000003340000-0x000000000334A000-memory.dmp

Filesize
40KB

Download
memory/5088-75-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/5088-39-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/5088-32-0x0000000074080000-0x00000000740D0000-memory.dmp

Filesize
320KB

Download
memory/5088-27-0x0000000003200000-0x0000000003215000-memory.dmp

Filesize
84KB

Download
memory/5088-18-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download