182986e90e0444d5c1716b87ffafe0e7991343ee7696d3f3d404c12fff15b7ca

Analysis

max time kernel
63s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

netmarble_7dsgb_A_installer_80943.exe
Size

241KB
MD5

225a61fe34aa8cc9aa114510cd80e24a
SHA1

5c70d05b61a7c1912933f0ebb4f3efaa1482f496
SHA256

182986e90e0444d5c1716b87ffafe0e7991343ee7696d3f3d404c12fff15b7ca
SHA512

734f03656ad3f80313a02d51ba34840bd7e794974b3d48c4fa3e949d8d48a9f0a4a4aae1e65b07a9bbba0e9cc4a51b1b74af09659029d543c4610b51cf2e3f2a
SSDEEP

3072:dbG7N2kDTHUpouAw9aXCvLIaSQmjWAKp3dIcW4PdWlr2tvhOEA1RJCir86SrSrvh:dbE/HU4aaXCTp8ImcpFe2t0EyL+hc

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

7116 netsh.exe
3296 netsh.exe

pid	process
7116	netsh.exe
3296	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Netmarble Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Netmarble Launcher.exe

Executes dropped EXE 5 IoCs

Processes:

Netmarble_Launcher_Setup_nanagb_A.exeNetmarble Launcher.exeNetmarble Launcher.exeNetmarble Launcher.exeNetmarble Launcher.exe

pid	process
4068	Netmarble_Launcher_Setup_nanagb_A.exe
2820	Netmarble Launcher.exe
4264	Netmarble Launcher.exe
4256	Netmarble Launcher.exe
1960	Netmarble Launcher.exe

Loads dropped DLL 23 IoCs

Processes:

netmarble_7dsgb_A_installer_80943.exeNetmarble_Launcher_Setup_nanagb_A.exeNetmarble Launcher.exeNetmarble Launcher.exeNetmarble Launcher.exeNetmarble Launcher.exe

pid	process
4416	netmarble_7dsgb_A_installer_80943.exe
4416	netmarble_7dsgb_A_installer_80943.exe
4416	netmarble_7dsgb_A_installer_80943.exe
4416	netmarble_7dsgb_A_installer_80943.exe
4416	netmarble_7dsgb_A_installer_80943.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
2820	Netmarble Launcher.exe
4264	Netmarble Launcher.exe
4256	Netmarble Launcher.exe
4256	Netmarble Launcher.exe
4256	Netmarble Launcher.exe
4256	Netmarble Launcher.exe
4256	Netmarble Launcher.exe
1960	Netmarble Launcher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

Netmarble_Launcher_Setup_nanagb_A.exe

description	ioc	process
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\ml.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\mac\x64\7za	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\he.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\te.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app-update.yml	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\chrome_200_percent.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\de.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\nl.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\sk.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\x64\7za	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\package.json	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ca.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\x64\do-build.sh	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\fa.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\vulkan-1.dll	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\x64	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\es.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\pt-BR.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\sr.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\th.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\arm64\7za	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\it.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ro.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\libEGL.dll	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\bg.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\hi.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\lt.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\vi.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\win\arm64\7za.exe	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\win\ia32	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\bn.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\libGLESv2.dll	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\vk_swiftshader.dll	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\gu.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\gu.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\index.js	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\v8_context_snapshot.bin	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\tr.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\vk_swiftshader.dll	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\uninstallerIcon.ico	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\arm64	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ur.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\zh-CN.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\zh-CN.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\cs.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\id.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\it.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\icudtl.dat	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\cs.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\es-419.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\zh-TW.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\chrome_100_percent.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\el.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\he.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\mac\arm64\7za	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\ms.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\te.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\en-GB.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\arm\7za	Netmarble_Launcher_Setup_nanagb_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\fil.pak	Netmarble_Launcher_Setup_nanagb_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ko.pak	Netmarble_Launcher_Setup_nanagb_A.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2020 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5252 schtasks.exe

pid	process
2020	powershell.exe

pid	process
5252	schtasks.exe

Modifies registry class 7 IoCs

Processes:

Netmarble Launcher.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\netmarblelauncher\URL Protocol	Netmarble Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\netmarblelauncher\ = "URL:netmarblelauncher"	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\netmarblelauncher\shell\open\command	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\netmarblelauncher\shell	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\netmarblelauncher\shell\open	Netmarble Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\netmarblelauncher\shell\open\command\ = "\"C:\\Program Files\\Netmarble\\Netmarble Launcher\\Netmarble Launcher.exe\" \"%1\""	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\netmarblelauncher	Netmarble Launcher.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

468 reg.exe
3204 reg.exe

pid	process
468	reg.exe
3204	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Netmarble Launcher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Netmarble Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Netmarble Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Netmarble Launcher.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Netmarble_Launcher_Setup_nanagb_A.exepowershell.exe

pid	process
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
4068	Netmarble_Launcher_Setup_nanagb_A.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

Netmarble_Launcher_Setup_nanagb_A.exeNetmarble Launcher.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	4068	Netmarble_Launcher_Setup_nanagb_A.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe
Token: SeShutdownPrivilege	2820	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	2820	Netmarble Launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

netmarble_7dsgb_A_installer_80943.exeNetmarble Launcher.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4416 wrote to memory of 4068	4416	netmarble_7dsgb_A_installer_80943.exe	Netmarble_Launcher_Setup_nanagb_A.exe
PID 4416 wrote to memory of 4068	4416	netmarble_7dsgb_A_installer_80943.exe	Netmarble_Launcher_Setup_nanagb_A.exe
PID 4416 wrote to memory of 4068	4416	netmarble_7dsgb_A_installer_80943.exe	Netmarble_Launcher_Setup_nanagb_A.exe
PID 2820 wrote to memory of 5056	2820	Netmarble Launcher.exe	cmd.exe
PID 2820 wrote to memory of 5056	2820	Netmarble Launcher.exe	cmd.exe
PID 5056 wrote to memory of 3428	5056	cmd.exe	chcp.com
PID 5056 wrote to memory of 3428	5056	cmd.exe	chcp.com
PID 2820 wrote to memory of 4264	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4264	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 3196	2820	Netmarble Launcher.exe	reg.exe
PID 2820 wrote to memory of 3196	2820	Netmarble Launcher.exe	reg.exe
PID 2820 wrote to memory of 5168	2820	Netmarble Launcher.exe	cmd.exe
PID 2820 wrote to memory of 5168	2820	Netmarble Launcher.exe	cmd.exe
PID 2820 wrote to memory of 468	2820	Netmarble Launcher.exe	reg.exe
PID 2820 wrote to memory of 468	2820	Netmarble Launcher.exe	reg.exe
PID 2820 wrote to memory of 2020	2820	Netmarble Launcher.exe	powershell.exe
PID 2820 wrote to memory of 2020	2820	Netmarble Launcher.exe	powershell.exe
PID 5168 wrote to memory of 3436	5168	cmd.exe	schtasks.exe
PID 5168 wrote to memory of 3436	5168	cmd.exe	schtasks.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4256	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 1960	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 1960	2820	Netmarble Launcher.exe	Netmarble Launcher.exe
PID 2820 wrote to memory of 4596	2820	Netmarble Launcher.exe	cmd.exe
PID 2820 wrote to memory of 4596	2820	Netmarble Launcher.exe	cmd.exe
PID 4596 wrote to memory of 7116	4596	cmd.exe	netsh.exe
PID 4596 wrote to memory of 7116	4596	cmd.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\netmarble_7dsgb_A_installer_80943.exe
"C:\Users\Admin\AppData\Local\Temp\netmarble_7dsgb_A_installer_80943.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\Netmarble_Launcher_Setup_nanagb_A.exe
C:\Users\Admin\AppData\Local\Temp\Netmarble_Launcher_Setup_nanagb_A.exe --gameCode=nanagb --buildCode=A
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --productcode=/Game/nanagb --buildcode=A install
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\chcp.com
chcp
3⤵
PID:3428

C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Netmarble Launcher" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Netmarble Launcher\Crashpad" --url=https://pnm_netmarble_com.bugsplat.com/post/electron/crash.php --annotation=_companyName=Netmarble "--annotation=_productName=Netmarble Launcher" --annotation=_version=0.4.6 --annotation=comments=globalExtra --annotation=email=d52a8281-089b-4add-b95d-87adf6a60e34 --annotation=key=real_0.4.6_Windows_NT_10.0.19041_win32 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=22.3.8 --initial-client-data=0x538,0x548,0x540,0x4cc,0x554,0x7ff7d6692898,0x7ff7d66928a8,0x7ff7d66928b8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4264

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Netmarble Corp" /f
2⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SCHTASKS /query /TN "Netmarble Launcher""
2⤵
- Suspicious use of WriteProcessMemory
PID:5168

C:\Windows\system32\schtasks.exe
SCHTASKS /query /TN "Netmarble Launcher"
3⤵
PID:3436

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2⤵
- Modifies registry key
PID:468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Netmarble Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1944,i,7023593888175707487,7086429331412338540,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4256

C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Netmarble Launcher" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2280 --field-trial-handle=1944,i,7023593888175707487,7086429331412338540,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh advfirewall firewall show rule name="Netmarble Launcher""
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\netsh.exe
netsh advfirewall firewall show rule name="Netmarble Launcher"
3⤵
- Modifies Windows Firewall
PID:7116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Netmarble Launcher"
2⤵
- Modifies registry key
PID:3204

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Netmarble Corp" /v AppDrive /t REG_SZ /d "C:\Program Files\Netmarble\Netmarble Launcher" /f
2⤵
PID:5088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Netmarble Corp" /v GameDrive /t REG_SZ /d "C:\Program Files\Netmarble\Netmarble Game" /f
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh advfirewall firewall add rule name="Netmarble Launcher" dir=in action=allow program="C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" enable=yes"
2⤵
PID:5136

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Netmarble Launcher" dir=in action=allow program="C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "Netmarble Launcher" /tr "\"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe\" " /sc ONLOGON /ru USERS /RL HIGHEST"
2⤵
PID:4976

C:\Windows\system32\schtasks.exe
schtasks /create /tn "Netmarble Launcher" /tr "\"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe\" " /sc ONLOGON /ru USERS /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:5252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Netmarble\Netmarble Launcher\chrome_100_percent.pak
Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\chrome_200_percent.pak
Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\d3dcompiler_47.dll
Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\ffmpeg.dll
Filesize
2.6MB

MD5
cf0ce44eeaeadb63f262dd1f9cc79b30

SHA1
f223d46b7dbd0694b17067430800e242c517c050

SHA256
cff733297361ff45090f0e0901a0e8c5a22ccf1ed2d22f7ef8025fa210e7d657

SHA512
cebb3ab59553fe4c2b96a72dc86cdc34a2b6d6380f57ffbfd3fbd16d55561ee9fc684b8839852e82b84e2063a9eb6a68b53ea8f67eaf74d356e9358dccead723

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\icudtl.dat
Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\libEGL.dll
Filesize
473KB

MD5
26e1758eb69012d9fbd6aee47b58ce1a

SHA1
6cb6d0b464df1a456895714a228ff091c774357b

SHA256
3de9cc3f187e51d80839c97d991f4c38bcd77e10dc7731e8d99ff8c2d1656bf4

SHA512
5a5227d9777bcfe974440a313793eb879df41d95c7113e3d3e325392343a5a4bab8d12220ba6e9acd54eea8060ea19f3ac2508cde9945bccbc9b23a448a2c534

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\libGLESv2.dll
Filesize
7.2MB

MD5
71907c88b17a6e1d7917b9b504985c73

SHA1
111094effb16e84f2d035dfd93c9f63c89e7d6d5

SHA256
086c98136c102e9e1438539a9f42c50cf05b4cd1048e349daed173fc53da0964

SHA512
e99608d581f49d4f23e263de8e782d275c87fc11d56ff1d8db5d2192cd96341fb0b267f39fcd2e8746bdf02d49f7f3c3cc74a9dc6504e865f2d13e08c5677a70

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\locales\en-US.pak
Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources.pak
Filesize
5.1MB

MD5
fb620332959ee6e46ac1c2a2f0e1b2d1

SHA1
eb18c735d187647c3c529932b8b80d9c9af09286

SHA256
66153f7b388503a9bab9df1fa157d3af88548bee264525694bca9a61ce3495e7

SHA512
1e5bfcac24a76ca8fae7b7fa5407f4eafeecfcda54726d66586f1171a7ba30cf76544d75aa44f1eb64b202e686ccd2c00c8cc0b24b249fc5c6c28c156cd03775

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar
Filesize
7.6MB

MD5
f0be4a6f4844a692176016502a5f8a71

SHA1
9f0ef64a937e3f55df50d34efb60ce26a32fd3cf

SHA256
b104d300b00c3f5d3cbffb7113f3176e11b3f4879088700538e230af3dbe263e

SHA512
c957a1829064d9fbfe6e3bd05cf534b260ff74ed50cd4baee0d8ad69bed4df9c387cc9684f5d216163aceeb6d3e73b401f5559334402c39014d475fe2c8af934

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\index.js
Filesize
500B

MD5
9fe8a485038be54d687ad7dd9dff80d3

SHA1
76fc7b47a329b759539bca0b785ad41c083c29be

SHA256
48659f660a13b5fa01622f87dc8a5306ce7c232abf93b82a3b2f6e94c2cf5c86

SHA512
0f3b2ce074ede02079bdab4229f6d4ded5eb7ec64546c3b9f103114aabb35093fecfd04677a0a84d3691fb49bae8a6c5489cee946c7f5f4b86aec3e96434dfac

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\package.json
Filesize
244B

MD5
2a3677c6c6bba9a148bc83c2f145d136

SHA1
1b828bd2e2b4eaaed8e68821692a0bf87bdd54db

SHA256
acabcd4f1c0b7399de4c213e8fdfd5d064f29e278f94bd5b763d8ac8555e2c18

SHA512
907651c11e31ce7c8242c825033e168c04a185e4717d6c28b1c77a48317ef662419c833300198fc6292721299905d7fe32069307bcc5751e3192e50c3c26209b

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\v8_context_snapshot.bin
Filesize
471KB

MD5
031ea03da08fe1247280cfe781658791

SHA1
e91db50ad16b5a5fbbaf4118672d60b347ea6161

SHA256
c16dcec41919a6d2850214f2275824be8a97d8c5e694e2ec8dd7d16ab2d5015c

SHA512
b3d6f282761f8ab8760728ecb108f64741f6f3cd2a143813042ff63a3b6604fcfe7c1feabafb65f9f67906217edb5851f44605a34f7a50ed2058c25ce5efb30a

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\vk_swiftshader.dll
Filesize
4.9MB

MD5
684b6d889559dc5d3485173fcc4f3659

SHA1
484a928d8f555671d19b49fe2557ae863dd76dd4

SHA256
ce16d8195d9851d521e012e3a0ed3d19474d53fdde27752a67ff1760e16bf3ad

SHA512
5fe6707a7af0b7865f87af0d7960f6d278900c7d185d1a2e150a2f37ff3c008674947629bb68195bd668d64a7a1d9cbce024504992eafe4abc48cab4fe215627

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tm2p3uyr.snt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A3F.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A3F.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A3F.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A3F.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A3F.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A3F.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr32D8.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json
Filesize
626B

MD5
dce85a5ae79e160629a8e9beb8ae3eb0

SHA1
38ecb360fdce22511c71721649f485118a40d1cd

SHA256
b02cb4141282538245cfec858fe03b933ee433ecbd42aa445e64a90f218c0ad1

SHA512
faf2e63f648b1c2f664aa2da1dfe004b20d0aeb05a1034c55c4c230b42874ad1f30d78614a3180eeb24e0782666812fa0ba4849bc1739a8bafced20ae22cb923

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json
Filesize
90B

MD5
e8b48bbed2dd5e71f274d96bbfdb8bc3

SHA1
32b1e08bab56c428bf3c09c0f208e2fa75b4ef7a

SHA256
2c428e006902a3f40cc0a086830152c4e77d38333544e03e6e974c3d2f01b0dc

SHA512
12611d44ebded02c2906183333fcaef5e22a9e22608242e4954d29848d7732c9a40b1ea62a2daadf5942e7135098e64c0e87db83edd1560d888cdc5273cf0f86

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json
Filesize
579B

MD5
d0bfbfadd958cdbdba9d3ffec19c16d2

SHA1
8f3a8b9ac19b8935f73d00cdb03c9d96083318de

SHA256
3689a3bb3843a9a251d6c145002fa850d57bca3554044653dd6ac9eabab36a70

SHA512
822ce85ebfe15110110c2a56e4e3b83a035f91211fe8b07c5aee9847431c5e6a7f047505611dc11edab4640e22c1e6c0881389bc75b6a0115237de47fe943738

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json
Filesize
330B

MD5
126d9090bf382b1e9ba53f1bfd60d1bd

SHA1
e8f437ff9c1fb9085aac76f038d3d8a8672a9d68

SHA256
d42d955dcc8a08d868ec0d37ef0e15ecba164b0f6dce13df35779f173ec85252

SHA512
83ba860d573dc7774bb10cdf40e5882fd290cb9c04807ea0f2d58cb9ab39cd2266bd75f678236c9c4f9d6f777227ba4125d5b13b29daac4200ae042429c42dec

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json
Filesize
196B

MD5
2e8a77531bd4acf80c3b1ba352328724

SHA1
48cf1ba496f9e14f795a4f6e587ba2ff397ac416

SHA256
9f2ec5ce0c58ece1b95084f5ca916468fe8531316ba2d1591a73e81d2068dc11

SHA512
7722608e5432317c04bd7efdc41e64c372b1205f4826814c3be1aa58c8f223c394d4735219db27770640795459666d8ed7bc8cb5209e105fd9baa010be331440

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json
Filesize
240B

MD5
46edf1b913f44676f0115cfdd5e8c936

SHA1
cbfe32cabb5519b7c32409d850882b7dc66ee0e8

SHA256
5780ac7a652631581c32f7cb80dd0934c7ecedd95d31ba9d593c0c4c42a88da9

SHA512
ed7fe7c9cf09c626a07db8d0fc60080ae163abb970033057be25a3e2a09d67bd2ca74b4e73f59a83a30605c0baecb719afd593d463ebd8074a74f0eee1ea803a

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json
Filesize
53B

MD5
9c364621a0ef6641b54f28bd62bd0a9b

SHA1
1cf38a7472f9b410120559340426ad64d80c2c3d

SHA256
95f4ad8dac81909892f477feb4e7d3ff8c8048767dd7f339a40ad80e7189109d

SHA512
af25dc26a8b7899f380d2914a3e2239dd692cac923b11e6d770d636defbcb9bc672bcab5e3fe33d1585f610d65e8a755bea5926cce0e8d15135cec8e50efbcb0

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-64249817941c8d94
Filesize
176B

MD5
c218a11bcea08c614324e78426cd841b

SHA1
cd4cbddbcbba9c548b97f8105479d4f6d7119088

SHA256
8728c27ce8da797c87f0c7d5fac85678edbb3ab36f9cd89720f70e8aeb1f7f4c

SHA512
f6f2b73d8e59ef4395cc5876ded50ffd468efafaf17e9a48b42527437663efe5756b2d65b8d4a97f6abe58d55dc122bc5fd8818f690b65bbfcdb9381e936a6b7

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-6424981826bd61e1
Filesize
217B

MD5
ba508c1b35f5818a15bb61997b412c1a

SHA1
621ca25e917b05d6fbac43cf93bd55e9c5e4e3f5

SHA256
32ecec35297f32f0a6e8096a23aeb896d7ba967632facc5323c1cbf35c6a667b

SHA512
60af012da6f24cd44c0a69277e7b4a82a28c860d10adc9f4c0be6f97f940ea1e1a297c00a69695c6431851d83715775c041741d667ae27f9a027829fe25b1b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-6424981888f5dc1b
Filesize
263B

MD5
d3221c634477a8f07daf287fa042350a

SHA1
73926c949d214d756915aa98a77adb8769abf40b

SHA256
8746eae280651c60888fb3931f105c61b0ae6d2ede3e5f396a0cbe2d434a0279

SHA512
12e66db6c803f194ad2e0d41c1b73f5bfba6986c4fe3fb08fd7079b0488e6b22b685dc28acba0ce54dea8ff3e1de84668437eaec7d5f6712cfcc2fefdced69a9

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-64249819198f003b
Filesize
285B

MD5
f0aa36a65161d17213a30c952f3d877b

SHA1
c33db65d2e4d574fbc3decc2f89f69b51a4266a3

SHA256
8298b411154038273cf3817e2e6f7aaba114f75af83350405800d8467e5c578d

SHA512
1f37704030f319e6caa180a6de1afb6bc8954cbba1cf254d8ce5ab059c332b191ac8cba97e0621ef42a4f174172a323d04e2a678f427db93b1a9e8abd90cbc24

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-6424982013f53c28
Filesize
309B

MD5
eb62e2aca7c87a131654cb12fe81e06e

SHA1
382aaf7ce49d164a88b6eb149b70f905beb5bebd

SHA256
376e56a2febdfc388514c1221367a67edb79f1461d66412dae6abe3c3b0004fc

SHA512
8a042ae88b231fee48b11e27cbf939d91a2372be14e41f5a846feceabbcb767f0816d23eff369d7647b5da20d368de8618dd6687887f1bda88e01a947ebc2a81

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-642498204427fa8d
Filesize
496B

MD5
8b6c9357655c152d506e524e86f30508

SHA1
bc0547d758494b2c269ae4f064c16a1adc5668a0

SHA256
e2a410bf347ad00dbd347912e9fd5269d07baaab92e2e05729e1f5275a063ad7

SHA512
c67e7f40d65a70d05d1b2ab8fcf13198a1df66dedf2fbc59b9713fc16bd9004024da3d23868e176b553f5980f527b1535b670f07da0ac1f9f34ac01f0441064f

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-6424982091e5b966
Filesize
514B

MD5
8ad40e43a263b5e8b8c7463da7bdcd6a

SHA1
dc41b8a5c864b222c4fc2bf18b160a8ec5e05a46

SHA256
01980b50c19371f4b46117e6a5314874be009ae0322e869bb5b70221c23104cd

SHA512
7fb68fea8e80f5b5d1773af8fded6fc845e3b2f6a8fb44234caddc1fa659a74fd7379e6173064e422ede65e478a10a9f2fd7277a075a21109272e4be3e0e78f8

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-6424982404a595c8
Filesize
538B

MD5
49454948009ddb63ffcdc5b9f849a32d

SHA1
d983c956bb356946addd79ffddea8fc3094073ce

SHA256
045570b67f762e09193683cabcb12833a6f02bdf96cce37b9ba02c4a8b6656bf

SHA512
d8cd840aa9e3d8e4841590834a181038e4f88d5b64aa1f806938e71c02bcf9ae9ae7799b5548a6c155c876bbfe915178fc3c773bf7f974e2321814eff20583e0

Download Submit
\??\pipe\crashpad_2820_DDRFYHOKWYORDLVV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2020-1795-0x000001D0F6170000-0x000001D0F6192000-memory.dmp

Filesize
136KB

Download
memory/2020-1805-0x000001D0F6680000-0x000001D0F66C4000-memory.dmp

Filesize
272KB

Download
memory/2020-1806-0x000001D0F66D0000-0x000001D0F6746000-memory.dmp

Filesize
472KB

Download
memory/4256-1188-0x00007FFB8F1D0000-0x00007FFB8F1D1000-memory.dmp

Filesize
4KB

Download