ff7d02d307aeb1bd47ddb741e5dbf8506a02213708606e9cb907a976d326bad3

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Papers.Please.v1.2.72/setup_papers_please_1.2.72_(43909).exe
Size

39.9MB
MD5

14518df790b7a7037f36bd4659993ba2
SHA1

7ff4a19b350509a40fd56af9151b018fbbb9307e
SHA256

a68333f6b65fe32beed8bba04c635d2f7e2faa7be0dddfcad745bba1c99e2cc3
SHA512

7fee86832d9e04cb8dcbcc993bde793ab4fd079fefa4589e3d5836fa1c559b79e8a80f8b3435848f8b362af4b73d7a94f90fd0a8e388677ed57ae13db6195045
SSDEEP

786432:eBaazxGwuKbRo91k3y/kMZWvVyPf/Wj8LT3y53RZYvv/w/go1b24Rt11di5g:HazY5MPynwuf/c8LTuT+iN24N1dAg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2012	setup_papers_please_1.2.72_(43909).tmp
2932	scriptInterpreter.exe
2600	scriptInterpreter.tmp
2664	PapersPlease.exe

Loads dropped DLL 21 IoCs

pid	Process
2676	setup_papers_please_1.2.72_(43909).exe
2012	setup_papers_please_1.2.72_(43909).tmp
2012	setup_papers_please_1.2.72_(43909).tmp
2012	setup_papers_please_1.2.72_(43909).tmp
2012	setup_papers_please_1.2.72_(43909).tmp
2012	setup_papers_please_1.2.72_(43909).tmp
2932	scriptInterpreter.exe
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
2600	scriptInterpreter.tmp
1192	Process not Found
2012	setup_papers_please_1.2.72_(43909).tmp
2012	setup_papers_please_1.2.72_(43909).tmp
2664	PapersPlease.exe
1192	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	setup_papers_please_1.2.72_(43909).tmp
2012	setup_papers_please_1.2.72_(43909).tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3036	AUDIODG.EXE
Token: 33	3036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3036	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2012	setup_papers_please_1.2.72_(43909).tmp
2600	scriptInterpreter.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	PapersPlease.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2012	2676	setup_papers_please_1.2.72_(43909).exe	30
PID 2676 wrote to memory of 2012	2676	setup_papers_please_1.2.72_(43909).exe	30
PID 2676 wrote to memory of 2012	2676	setup_papers_please_1.2.72_(43909).exe	30
PID 2676 wrote to memory of 2012	2676	setup_papers_please_1.2.72_(43909).exe	30
PID 2676 wrote to memory of 2012	2676	setup_papers_please_1.2.72_(43909).exe	30
PID 2676 wrote to memory of 2012	2676	setup_papers_please_1.2.72_(43909).exe	30
PID 2676 wrote to memory of 2012	2676	setup_papers_please_1.2.72_(43909).exe	30
PID 2012 wrote to memory of 2932	2012	setup_papers_please_1.2.72_(43909).tmp	32
PID 2012 wrote to memory of 2932	2012	setup_papers_please_1.2.72_(43909).tmp	32
PID 2012 wrote to memory of 2932	2012	setup_papers_please_1.2.72_(43909).tmp	32
PID 2012 wrote to memory of 2932	2012	setup_papers_please_1.2.72_(43909).tmp	32
PID 2932 wrote to memory of 2600	2932	scriptInterpreter.exe	33
PID 2932 wrote to memory of 2600	2932	scriptInterpreter.exe	33
PID 2932 wrote to memory of 2600	2932	scriptInterpreter.exe	33
PID 2932 wrote to memory of 2600	2932	scriptInterpreter.exe	33
PID 2932 wrote to memory of 2600	2932	scriptInterpreter.exe	33
PID 2932 wrote to memory of 2600	2932	scriptInterpreter.exe	33
PID 2932 wrote to memory of 2600	2932	scriptInterpreter.exe	33
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35
PID 2012 wrote to memory of 2664	2012	setup_papers_please_1.2.72_(43909).tmp	35

C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.72\setup_papers_please_1.2.72_(43909).exe
"C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.72\setup_papers_please_1.2.72_(43909).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\is-5MEIS.tmp\setup_papers_please_1.2.72_(43909).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5MEIS.tmp\setup_papers_please_1.2.72_(43909).tmp" /SL5="$4010A,41259132,192512,C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.72\setup_papers_please_1.2.72_(43909).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\GOG Games\PapersPlease\__redist\ISI\scriptInterpreter.exe
    "C:\GOG Games\PapersPlease\__redist\ISI\scriptInterpreter.exe" /verysilent /supportDir="C:\GOG Games\PapersPlease\__support" /SUPPRESSMSGBOXES /NORESTART /DIR="C:\GOG Games\PapersPlease" /productId="1207659209" /buildId="54011959879672295" /versionName="1.2.72" /Language="English" /LANG="english"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\is-LDK40.tmp\scriptInterpreter.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LDK40.tmp\scriptInterpreter.tmp" /SL5="$301D8,662929,192512,C:\GOG Games\PapersPlease\__redist\ISI\scriptInterpreter.exe" /verysilent /supportDir="C:\GOG Games\PapersPlease\__support" /SUPPRESSMSGBOXES /NORESTART /DIR="C:\GOG Games\PapersPlease" /productId="1207659209" /buildId="54011959879672295" /versionName="1.2.72" /Language="English" /LANG="english"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:2600
- - C:\GOG Games\PapersPlease\PapersPlease.exe
    "C:\GOG Games\PapersPlease\PapersPlease.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GOG Games\PapersPlease\PapersPlease.exe

Filesize
11.5MB

MD5
882bec28e46fa335a1e7b73b9fa84872

SHA1
cd563b57681766bc20124d00ff94c85ee13c993b

SHA256
ed9763825186a25b6891997a03eb65cb94325403812ac4e246313e68a8d24c94

SHA512
19376c3c7e79c0e1b9a42debef317b3073aa2936c01285b366148283f893682f33a3d03a58e908a0110f5f2d1d6e480f96165a2cd3d636434c66ce1e403b2c2f

Download Submit
C:\GOG Games\PapersPlease\assets\Art.dat

Filesize
2.9MB

MD5
83a2ee437fa70505b27ea3e59e84dc47

SHA1
828a37a43302093a71c894e22b0836ad091147f3

SHA256
8872399393c4b403af34803bd26fe7fe47883e0c05b746ec1c50578eaeafff08

SHA512
66b1dcc07e718d8a2f41de363c86249b8eec08da052a20924299eef62ad97255b4b705e339e2cab4b2409c0ca55c780143e1684e0ae1c7c3f98fec08a6aaee2b

Download Submit
C:\GOG Games\PapersPlease\assets\Inconsolata-Bold.ttf

Filesize
66KB

MD5
819f56653a4197a7959c41ddfc8ff69b

SHA1
995a8160348f586143c9b3bc3c527786066779b5

SHA256
546ab1e196e94157a89af9fe42efea5149cbe346615023681461189d7a4496bf

SHA512
c9bf15571366fb0d0d9cf7128e2865f31d26f40658ebce234ffd351deefcd0d30c75321a16d991efca915404786a2491af7905527c3c01c1f9cce5e5f2352412

Download Submit
C:\GOG Games\PapersPlease\assets\music\Theme.ogg

Filesize
2.0MB

MD5
63236f4627837ca08114651fb0d062d5

SHA1
a8aaa4c6ad1af1151ed096cda4483e4d23ef6430

SHA256
5ffbc7ea354b5d92775952e6cf18498a740871f1dff349a308987ce0c7f2320c

SHA512
bf85b1b5b474efbea7c2ab235993b7f0df78a6241bf0ff9a92aaecc970fa4764567cb63824ad19b8dbefc53c6198bfbe486b7e99b2f444ba33e766ae4bfc7e40

Download Submit
C:\GOG Games\PapersPlease\boot.xml

Filesize
1KB

MD5
663c08216b9cf33586579477b7a50413

SHA1
8a1d10e3b1e998f82d6b6b4e2e9b061735bdcc2c

SHA256
573962eabdbab1f83c81fe57d97627c62c766b54ba369dceade281894aa9ff45

SHA512
26becbfe1b38936d0fd3cdd6c20b26e96fc9bb2a5630e307d08bb1e1ba8cff480acaddce5f1f23f232934bb32f8479272736ad91cc905ed136c2d60cf877241c

Download Submit
C:\GOG Games\PapersPlease\goggame-1207659209.info

Filesize
785B

MD5
7523f1f3f84f4d45358855a3bc6d71e2

SHA1
2d1401b14785ef4da93cf1069b1e5c89f5cae54e

SHA256
73b0cfb0ad8311a646aa1e24755a4eb0ad1c15014fa94c7bf3bd9aa6eb6f08cc

SHA512
eadc55101602ba18d329f659e47ed6535c97f10fc87f4b9a08b570055144508760d81342d5ed82d438fe9b7522a1a1b2e3dd4dd5d39883a2a24613923eaa73df

Download Submit
C:\GOG Games\PapersPlease\loc\en.zip

Filesize
519KB

MD5
ba4bb9850d58ce5841aaef7fb4ab323c

SHA1
186ff341902a9c260427cea0b1fc31f6e5959fcd

SHA256
8eeed8807c1534df068c2a5f5fe7f788ca1c5b05f9299b336f6c2a21ea4b7b58

SHA512
4195a53fa2a11404b3a1efcb87d7ebcc5e4665a97ac484da9a99349dddeb7e737c073ec5740c7e59e6a4cbf96000225507ed30ecb5e010604ae345774b39820b

Download Submit
C:\GOG Games\PapersPlease\manifest\default.json

Filesize
6KB

MD5
d345a5a62376a1afb35d341369b26ac1

SHA1
e5f37abf90b047b162f685adecf9a0a1f8c44fdb

SHA256
41b5ad90ca9760ee1e5dbc13938cf0387bef46c92a3abb37e7501fa5214e8847

SHA512
cd2ba734f94e6adf71c004b8648bf1f84e58c50685c9be0ab6523cd835f711a7789f6a5c72df54a3c229eecb169124851de64f23fe3dcff5a10e55a92ce5ab45

Download Submit
C:\GOG Games\PapersPlease\unins000.dat

Filesize
393KB

MD5
8827e5a4fa7eaa8452c0d05025799f10

SHA1
9d19cb19c077015f9d2b50d38fb125e6af2529ff

SHA256
348284bdd2a799ccb636bbe93741624879a6406480f6aa18592da34ea3c11f0f

SHA512
ae6de38d1250370a1cf0cd08c6fdd5c4a25fdc0b5d30002d2ff706ab4150f2965a2ccc4a67f37ef5a7b6914dda05aaf77430fa934afe6c64446457d58080aed8

Download Submit
C:\GOG Games\PapersPlease\unins000.msg

Filesize
22KB

MD5
668a2187f89c993485bd46382ac682aa

SHA1
abeefe05d6d6f64c0ef1f5e023f1861000aadb55

SHA256
e43d06ec2b3dbe3d81bcd6b7880d28d074dac54b38646a605cfc5c809939da16

SHA512
4f056b8c69c0674ba725450bb6242625389f23043a46ad95c6452893da02e1349f6067a1e19e86c8182867b08b8e78da98bedf02d2c94c3aa647b45ec6da56e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\1453128328_english.jpg

Filesize
169KB

MD5
73531469663b65b58ea58497d9f66a70

SHA1
25a9b2ddb532c7a2d9fff18e84648ec800978996

SHA256
b6031406db401249f4466bd0f0c76b98e0fff5d00479e879baf99f9dfd985a5d

SHA512
c03d4817841e018ca052209fcc9cee72e67bab4295d86bcde94c40fbb7b255caab93cf3d9f2dfd36d0e2eb18cfb01fdfa1345fe7e73da6917fde0765eaf3197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\2047670766_english.jpg

Filesize
126KB

MD5
856288ce81f2cffff2161dcd39c4d5ae

SHA1
6db011e7f404588119c3880039ebd4e4885eb2cc

SHA256
7169ca70130246af8e68a6d27875dc39e4be2db2a0f3f97fd4153ec7925661cb

SHA512
206cf61c018c3eab1940a69acb12165cb5b1077836cfb6ce921752a07a9632fe4c25e50567b243a6e3c6f13364f8e9271a7184a1e1c08e01465c436f04b058c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\BigOK.png

Filesize
3KB

MD5
5b43a5d975a53f4fc1da67ce9f7784c1

SHA1
8543fa1e471030049942252b23cb22e0880c3af5

SHA256
59d8bb3e87a89ef523c0495addce38d69560af42aaa82f56dd41b12e6612c13a

SHA512
5dd5c4e9859a555a4a32da76f5231b44f7556274c6501da530b2cdd570bcb4675f710bee708322a40ed3ef9280c0d652b4e7ef0e9eaf128c08534f59291917f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\EULAAccepted.png

Filesize
2KB

MD5
461dfeb75927bdb39f9db5348612a611

SHA1
b7893b1fff6801e37ee7337d876962a09184941e

SHA256
0de278f5ca6d8570d9bda592268a14a28b87d3631fea2d25721947397aaab79c

SHA512
68528cf45c81c2c024a672f42c2cd6d4f72c015b443f103ca21deb8ee2bec4f4027490e7f33b5338a87537b5bf7f255f2828aed149f622155ec89cc81687651b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\EULAShow.png

Filesize
1KB

MD5
c596bc9111edc702bbbb29b70984254f

SHA1
d4712c7b91ff4f8994e7907d31357c42eb47c738

SHA256
6112851daea2aaa7174e8cfac4a0f61c968bc090342503804c476eff47cc2462

SHA512
db50d0a39ec644873a03d64552fff1776cc94f016e8dfc8918e65aee94f7529a6de4637567b5e65c4ea988f3775785c4b52c2d96fe8dbc52b1e21ff59c737c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\GOG_new.png

Filesize
3KB

MD5
d5b63bdfa47ef5954917c148bacf7b13

SHA1
5302c6715d9e9b5d2768b130f3e516e175684cc9

SHA256
0804b385c1736e009fe8c3b1b14085b9b9abb40ce487360002ab4a8f3505f4e0

SHA512
b5cde681be9ad1c1211559dc4b363003bf547e8dc965dbb9560fdddfc28ee1d8f27cc534dd00864d800fd351c48694d7dc8df55fc3d8d69acf8b702c7b421aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\OpenSans-Regular.ttf

Filesize
212KB

MD5
629a55a7e793da068dc580d184cc0e31

SHA1
3564ed0b5363df5cf277c16e0c6bedc5a682217f

SHA256
e64e508b2aa2880f907e470c4550980ec4c0694d103a43f36150ac3f93189bee

SHA512
6c24c71bee7370939df8085fa70f1298cfa9be6d1b9567e2a12b9bb92872a45547cbabcf14a5d93a6d86cd77165eb262ba8530b988bf2c989fadb255c943df9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\background.jpg

Filesize
416KB

MD5
500498a437a2fc611721405ba1f67746

SHA1
a13af882cf40884f62d8ef2fa97c5c321db7e3fd

SHA256
c25063204ea2bf9311c6e77720d4a69bf11999fb719e78012c1ffa5a4cd3ca22

SHA512
4e495d484dfbd18489b0cd7f55320ae34b41eb5441a6f8149adea17d167c88b2429237b1a0f59fd883b659c7b3e8d2dbf706077c70a741aa4669351c7938e6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\btn_md5.png

Filesize
8KB

MD5
3befe9739354ee24a0b1ea8df05ce274

SHA1
ab0bda986a8c46aa19f57b75a2b7b22445a3c625

SHA256
b0193ab375f604fa4a25cabdea8f713babde1c07ab562ffc5679352c8e01db47

SHA512
ac016a59e0bfc9b22c376ae5d498c5660893a983d932b2bd502dabe032883c69e79ea8d93c2db49f95415c3cdb068e9f7d1d85527a4f9e68e065a989852d09dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\error.png

Filesize
726B

MD5
df10adc25b673e74e19971c17bee5a98

SHA1
ee16fb1cf9491f5e611282f0574b27d76fede412

SHA256
142b16dc6239421691fa6e619d1a61e61176d89fa018a88b46893c29a57aad8b

SHA512
dc3de10e0321966cbbfb2e57b3b41da6f26dff0c7233a47469da58775b5c471e6b5181e4d4ffc81ef8b83dbcad74ccc1aad7678518f99c9185a441d2a23e010f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\error_icon.png

Filesize
1KB

MD5
263720c4b8bb111567a2a49989b8f467

SHA1
cf346fa3c70164648e0eaf72a37c6f4920ab4792

SHA256
acdf96ee4261fae138e6350a0ad50b367022ed5b908fa168baad92644f566ee8

SHA512
94f06a81dc735cf264abde86e6169e5fd78d873d2e926fd48287d2ac5208fc930c3c432186e3510add002bd1b4ae32ad8d35270b17c3ce5f18c43764a8e9de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\ok.png

Filesize
1KB

MD5
103c1368e60806b1b7995a0894eacf87

SHA1
971392527f6e4b655044773132505c901a6b5469

SHA256
0d37d4421a39ca8852eb6760b8e914302bdc6cfcc7b170dc1b6c9bb9be148b7e

SHA512
652177e94438aff102f2ed873b26f0985ebed134763852b49b1ca2698463c1dbeb85152f19c8e18d397229ec5cb2cd1d17c61d454ab7c425a2cab540adc8228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\progress_center.png

Filesize
1KB

MD5
ad7fc1e37e40da38dd57adc446cc6c0e

SHA1
08033265deb9b45243cfa0065d98ffe13a039e26

SHA256
2b9dae87340e66b67ab1d8247d4a137628e324969f92fe1098f95a7c5bab2f43

SHA512
dd715d74f8e1ed6ab75b7b6530b383ac47040d8baa7728be160f6d230bf485a9cc54f15f7dc85b122ce56e54d63fa4890e510dfc89d9c9344e31f789ebac8756

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\progress_left.png

Filesize
1KB

MD5
290c7612ad7a077028cd3dc78ce99673

SHA1
18995fbe39d05e4a1cafc7cc2e0f6fb745442f77

SHA256
85e39d909a7300fa2043ec42818582867b981401264b14fc5408e477ae0b4668

SHA512
799841f5b8a1056e78a49c823009750e4b93af130a6c4ff9dc6d386c06b88614e53b46a6df62f5a217d5c99da01cf4e2fe8392c73d39e81000045291cf24205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\progress_right.png

Filesize
1KB

MD5
c25a41f022a74308d944d1e807d72f44

SHA1
83c6bbec3fb373fcc78ce0e737742100994cd6d4

SHA256
396a3351fe409328782ab138282cf9cec061a5a9540a3506700a620db1f54e7d

SHA512
d2f4449195f3e60c826cfabb52a083d829eb9d0509272977d8fdb33bc5214678949cd27d0594684594e0a3eda2351c39cec8d91923cb716ad144ccf2b966c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\slideshow.ini

Filesize
283B

MD5
17c990feea0fa3a3e9185a87043dd831

SHA1
823b1373a0192863d02b8ff265dc7e1d9ff73347

SHA256
ce9de7749c073ccdf306d638d66429dfbb1bcfa66da6cc81edf47da59efa9162

SHA512
8fbc5e1fa47cd9deb33aa55f33ae372db9c085f76d9fe53d067af78eecbe666338006f5b9d25fcbd9f740c1ca6cb9fafbf8dd17c58ca72ce28e421b60606da92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\track_center.png

Filesize
1KB

MD5
3f2b0c22f8ea28dcbb82b39a16a039aa

SHA1
b3f4dfc2ea86fbdad05877b4c356b7fa8016731d

SHA256
794f9eeca7fd99846968376b76a296c927532cef1271325cbf555caa0d0d5860

SHA512
b4bf65d751717e85418947662d315ae3bcb177f60914832fefeeb95da9eddb75eb5531c62e5a5a70ff03c8a025b5a03e61ffbdecc9f483bea9684454ca9362d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\track_left.png

Filesize
1KB

MD5
55dacb00cbe2825a8540236c5777a205

SHA1
18a52ac6c741b558500fbc1716d46b4fe4471982

SHA256
a8340fb5380c922b60ea40043590dba067dcfed6e22636851691df38156a3aa8

SHA512
2ea444cc1080f20761c8d71d96fcd04ef48254cdc1dc41d1d139f459ea5613fe12f6e4bd026bf33a5c01ff038e72e05dae2f8fba33ff517dd395e1911f10ff10

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\track_right.png

Filesize
1KB

MD5
ddec70b6c49be3e8c3a7d01c2f6ff1c5

SHA1
5383271999f787c36b1dc8f3cc13c8407b195439

SHA256
f54cd6e42f2b2bc5cb8a15f6a28f1499abf094a519ebdf39f4c4e167312c9c16

SHA512
f43f94b194b5a7eafcec9e831f61042859c30e1af2e2447195bdd06b12c90982181161a1c1be5aa5223ff664f88e4891bd71cfffb7ef672d6fe4f614030e0e01

Download Submit
\GOG Games\PapersPlease\__redist\ISI\scriptinterpreter.exe

Filesize
1.2MB

MD5
c8aaca5f97815ab662436e5449aed17e

SHA1
4e47cbf558a813d102aee87284c404a02274eb0a

SHA256
d8667e94d5a9fe2d81e04df7e38f792bcf37aa727c24787014a51bd77fb19c65

SHA512
50e16042834a7ee6bd30b471142d17e526419b325c45b1f945323a01d773833a7011d9a820594515114043c06b6cfbebd7948778a6f6f6883b44680c13535f97

Download Submit
\GOG Games\PapersPlease\lime.ndll

Filesize
7.7MB

MD5
f87ea1a6892b1a02615d4efc2af42ae7

SHA1
1aed7c51a52b27e3fe4669a7813de83f86243ee2

SHA256
65ca003dd8cf1858b1685f94379a93fb5fb70cc304e3b0dfcbbb0b8fe7ff68fb

SHA512
97f7eac332045310f6babe28ca107e9755ab873aeb1610a9f3774b2858dd77e781ad89303cad7b3898fbcfcf51f6720b2dde49716215459e377dafd00462e362

Download Submit
\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\crcdll.dll

Filesize
69KB

MD5
1d51fac9e2384eeb674199cfd5281d7d

SHA1
861dfdc121357d605d0cc3793266713788109eb2

SHA256
23e90ce5a1f2d634a7bf5d5d0522fafeea6df9e536e16f5ce91035d5197128ec

SHA512
921b00adfe43b883200960e8d0958d4e6b97f6d5cfc096ee277766a3e44cc7805a20877a4edf8bd4d9102bb71a20ac218a9a512f4f76bd751d3ef14f4e0a6eda

Download Submit
\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-12FRJ.tmp\uninstall.dll

Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
\Users\Admin\AppData\Local\Temp\is-5MEIS.tmp\setup_papers_please_1.2.72_(43909).tmp

Filesize
1.3MB

MD5
7aa3278ca293e01a146574c25fa6df2f

SHA1
92d41ac02cbad9237d05925a3714f1f1b15abc0f

SHA256
f91cf6092279d7b98a347743d92811b4a7f5b80b8bcbf7ad6d5be32e946d197c

SHA512
2c745de2c0ee6b5f1edb95ea6b9b2db01715f720ccde1a8fc4fc5543b52368a64d9e221e70f680ea5c39e604f65d422e77940e36794c043a2d08bfd7f08ae001

Download Submit
\Users\Admin\AppData\Local\Temp\is-LDK40.tmp\scriptInterpreter.tmp

Filesize
1.3MB

MD5
01190d8b6805fd4d2a68750fbd041966

SHA1
c5c967d47cc57112eec5fe7db0229b36e22ec661

SHA256
5761e7789d813626cd68ee1e62429cfeb92bdd814cd29ef12fc4ae9ec1dbaff3

SHA512
c079f1674f800bbcfe97d95e596314ba9f74bc7f87433dede4da91978c9ba9b1f0b22a4b690a07171983c46ac35e523a52df143072f700279914279de133957d

Download Submit
\Users\Admin\AppData\Local\Temp\is-P23ML.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-P23ML.tmp\uninstall.dll

Filesize
712KB

MD5
f3a88277fc7e0c057c40e47a7e43f9ad

SHA1
78ae0052b323139a4de7a5361a40503a39339f4c

SHA256
d88bcf910e7a5ce4d76ca48b263ef226911b455d3a8db80c9fa69aeb2b3898a1

SHA512
3c40377600fbb814fe19423404d2fb29f6342ab2a3a6d5dc50f42086fc0f59174184a0870d7f04fb6ee5f84828e1ed282396bfcb70842084af25f5af15cc8a1f

Download Submit
memory/2012-16-0x0000000003710000-0x00000000037C7000-memory.dmp

Filesize
732KB

Download
memory/2012-139-0x0000000003710000-0x00000000037C7000-memory.dmp

Filesize
732KB

Download
memory/2012-959-0x0000000000820000-0x0000000000972000-memory.dmp

Filesize
1.3MB

Download
memory/2012-135-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2012-168-0x0000000000820000-0x0000000000972000-memory.dmp

Filesize
1.3MB

Download
memory/2012-813-0x0000000002050000-0x000000000205E000-memory.dmp

Filesize
56KB

Download
memory/2012-812-0x0000000003710000-0x00000000037C7000-memory.dmp

Filesize
732KB

Download
memory/2012-811-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2012-810-0x0000000000820000-0x0000000000972000-memory.dmp

Filesize
1.3MB

Download
memory/2012-59-0x0000000002050000-0x000000000205E000-memory.dmp

Filesize
56KB

Download
memory/2012-914-0x0000000000820000-0x0000000000972000-memory.dmp

Filesize
1.3MB

Download
memory/2012-138-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2012-146-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2012-8-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2012-140-0x0000000002050000-0x000000000205E000-memory.dmp

Filesize
56KB

Download
memory/2012-137-0x0000000000820000-0x0000000000972000-memory.dmp

Filesize
1.3MB

Download
memory/2012-12-0x0000000000800000-0x0000000000815000-memory.dmp

Filesize
84KB

Download
memory/2600-794-0x0000000003BE0000-0x0000000003C9B000-memory.dmp

Filesize
748KB

Download
memory/2600-839-0x0000000000ED0000-0x0000000001022000-memory.dmp

Filesize
1.3MB

Download
memory/2676-0-0x0000000001060000-0x0000000001099000-memory.dmp

Filesize
228KB

Download
memory/2676-2-0x0000000001061000-0x0000000001072000-memory.dmp

Filesize
68KB

Download
memory/2676-136-0x0000000001060000-0x0000000001099000-memory.dmp

Filesize
228KB

Download
memory/2676-960-0x0000000001060000-0x0000000001099000-memory.dmp

Filesize
228KB

Download
memory/2932-778-0x0000000000900000-0x0000000000939000-memory.dmp

Filesize
228KB

Download
memory/2932-840-0x0000000000900000-0x0000000000939000-memory.dmp

Filesize
228KB

Download