Malware Analysis Report

2024-12-07 17:07

Sample ID 241113-kv5l2asjen
Target rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe
SHA256 526a103055dc5a6a100f83427c63d192b3c9ab23712a8b1611e996cd94a0416b
Tags
discovery defense_evasion
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

526a103055dc5a6a100f83427c63d192b3c9ab23712a8b1611e996cd94a0416b

Threat Level: Shows suspicious behavior

The file rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery defense_evasion

Downloads MZ/PE file

Looks up external IP address via web service

Indicator Removal: File Deletion

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 08:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 08:56

Reported

2024-11-13 08:59

Platform

win7-20240729-en

Max time kernel

141s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 2464 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 2464 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 2464 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 2464 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 2464 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 2464 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp

Processes

C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe

"C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe"

C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp" /SL5="$301C6,85193986,942592,C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 track.lilithgame.com udp
US 8.8.8.8:53 callbacks.lilithgame.com udp
US 34.120.214.113:443 track.lilithgame.com tcp
GB 163.181.154.241:443 callbacks.lilithgame.com tcp

Files

memory/2464-2-0x0000000000401000-0x00000000004B7000-memory.dmp

memory/2464-0-0x0000000000400000-0x00000000004F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-A9B69.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp

MD5 5cce2b5b35ed07f383e213ef97975c80
SHA1 ab516128f2b9aca5006986e7e5c3bf32d5106949
SHA256 ee8be28604a5e3e3c7e23a4acdf8021acb8b8aa9b9b9a4c91415afa0b031499f
SHA512 cd4686aef3e3cb9b6e8eb6ce783f77534c560a86f1dc4105ac97aed987a1f77da06b01f8eca3a50c9a9c63889cf5604f77622c409925d2dcbde5e348122f77aa

memory/2852-8-0x0000000000400000-0x000000000072E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-O6513.tmp\botva2.dll

MD5 31fc626b6a1d55aa2df23dfa3318b65f
SHA1 8797167dbb74711a593ae7604cfd3956ec1e9a1f
SHA256 96360a72a66bb997a94553f6c65f88d3eb88c294f73a0748a4b0b4444e1a061a
SHA512 c2bdf10f7b29ec4932551c9e509e804e692aae9662d0ac3df6862430c115bb024365f51d28313ede13e2cdbec4084bc7e823513b4be2bb9de4a74be1a50baba3

memory/2852-53-0x0000000003D90000-0x0000000003DD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_close.png

MD5 ac9e085e7b1fa31b894ac9cb9796825d
SHA1 351d61dd8e9c202889fda63f9dd41256dc14f147
SHA256 a6a15f9f7a5a0d291f125d7a54b2dd0542efbd771a17162f909fee2ca6d67954
SHA512 29178c431cab95083ee3cba2b6d331f19e29344c61af2cf7a326e89d3d2fbe6ab62d781390082ed04e08c20059827003b2184c470c64be25c4b10377105cd8cf

\Users\Admin\AppData\Local\Temp\is-O6513.tmp\innocallback.dll

MD5 b11eade67865ed119b13052ffc4cc3b2
SHA1 2a3096a7d306c4fec2e3464a1803966081732b4b
SHA256 2f8a081a4676fa3753aa4137fea3eeb020c89c2949f3abda9f0bd1c58b0992fb
SHA512 6f545f46253409d1285532fa3090e9accc765925369dc44f356107ecf867ea17c19c885d151c64a12dccd6e616daa7798b27ca1d0a2c1c63a430c20d7a6f323c

memory/2852-60-0x00000000040A0000-0x00000000040B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_minimize.png

MD5 0b3b7c59ecab696c9eb476c877ef42fc
SHA1 7b145316582aaff1e5f8bc20641b7826d4448a9e
SHA256 8c28f5f3988e6fedb8209ebb8b3dfaff236629e9651fe37191070067e62c3e13
SHA512 f51ad6335aeaf7708344738e927d629c08d36abc996386ddf1c3823e796a88215ce20de7cd05b2df7b50a3c90e070e060f111e5f794bce5c2d761c245054676e

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_install.png

MD5 0121f768505917ded4ae2cabee93a975
SHA1 a58457e8196be8221a097677c517891096f81f3a
SHA256 849547fe7252100a41768b714cc489e1b86db0ddd7a29996847a1cbc9316d241
SHA512 615889c67518d9314babe37e08064e08b440ff34ac375281e6171e0e670caa5a0683c54f327f563bab48eb73ea5cf941e2ff0234fa31473c7b5be9faedcc01dc

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_checkbox_license.png

MD5 eeb9de9456bd5337b31b4208161c073c
SHA1 0a3e8d1fb0a7c0e7a62c8167bc9aa929746b4aa6
SHA256 fe4d5a565d3fb9ceb3560445007cd07ad2d1b0a653fbc7b2132c921d5c13acb1
SHA512 191d173a40e89e2607b2d61a4ad065f0abaaf13db087d1f58287321311db4c0fdd2ac74f6aee9dbe01ac1ef2248ddcd88421d0c45e53a3c56ab237d1b06638c3

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_custom_down.png

MD5 4c4f7109932ea77b3a7047b59e7ae63c
SHA1 7aa6be51b82b70b9ad6bc7cf2a2db6f4947c8fc9
SHA256 bd58c796075fbaec82063b6dc8b5a324f5fc97c755afb1c5ea57d4bcec31293b
SHA512 3a6610e72a3e67d15fa9b60979615faf386f42bcc3575a3f8e900696ee9dfc55a13f8cbe36ea6d889eccb1ef3dfb279ffc808335e390b7bde36541539004fe50

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_custom_up.png

MD5 a60a8c8291d334947f7a2d75bc993dbd
SHA1 daf580ad29d1b0301df6b46e0a8cfb508da89dda
SHA256 d512daef5b4b9773ec0f6ba1b1ca11fee3608d7f8f4d2717cdb723ee43b2435a
SHA512 b7cbbe7474e3a5a55934b1441ed0f6ab54a6f5588f24c580f81b453a8610ea4197bce09be6c22a9dec2411402ff17782bb41483333ac19296ca4c78e80c3aa79

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_browse.png

MD5 557ef0035a4ec8c2e9b9b2fb72f3f365
SHA1 37d806c561423135b876ce5d7e0cd9c11714d88e
SHA256 c48a1fd484651a02d82e9ccb959d75b2a61045ee9cd2f44c0b02d823d4f7f615
SHA512 2b85c1ff060a8e93d361d03f32e64669b8b32200883e622fde2f09ebaf98ecc7fca1432e7d70d4a3c1ebe01f80eb19882845220ddece718b75004f08e4fee011

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_bg_progressbar.png

MD5 a0f3b54b3272d53201b623756c03b978
SHA1 83e3e93e3d89f551d01ef6d7aee4152289b366e6
SHA256 25a39e36b417bd404b351595a5913c0dc8100bed2c45b5db9e740173cd4ab8b4
SHA512 1a0ac15b8948f84a891c5ea995faf1ad6c3f448dae2793941e7cb8cc44693d67086bd1b0934c7df9d83918e7cde2263c39ee354149a0b311acbe70c0f2011b21

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_confirm_green.png

MD5 71704690e907b6b469a95ba33fa1bd28
SHA1 b22112a849cb274574f181de3e346bf060369076
SHA256 f943b01cc918929594c7ae03b2076bc4a7bdd48a409a193eebb6020d137c517d
SHA512 3f8dd6c76a416ab4d169994f2bd75065dd88d4a9162cbf0884a2df4ce92a35efa123fe17e837bb1063070a25908f220e5d84f9c90821927f6e042d6a5534c2f6

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_bg_msgbox.png

MD5 c274ce35113c17a0f04a41b57194173e
SHA1 a8283ea123723a0c1153668845204734df1f4f42
SHA256 c5e19800a6658914a4f4725d27e17300ba26f41bea5ef6f3bc0d935513e27ed9
SHA512 f16f4303a5517f1b5371e01d7d0bb2c5d628fecccf7708f19fef156565b7476af88cb5e21d86252e1bfbc0d69efc9e9ff542758b6bfb8025bc300cc9e820652a

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_ok.png

MD5 687049069ec551f74bbfb7330da244e1
SHA1 9eebd1b8230b87af6fb68ccb659b5db323f793d3
SHA256 315ea50061cb140344e7933672775b179fe9c47d241936bae56e5622a24dadcc
SHA512 7928b9eff114e0385b04554a39d698777a8ba8a5e596329b9e7e4639d0291f14d19362a072ba211894564b12c85f5112f3282d913aec4846fcb687adf002df23

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_btn_cancel.png

MD5 d8fb2305f8a45a9c2ed206f8c2b254c9
SHA1 37c4254e27cf6872e2916aa54231dfab2f7a33a1
SHA256 571d9b96c4ae5804b02802f2c30e58e681bf3b84dd28bf8fc53b64b72652e0d4
SHA512 bb97610e8000cae5c2800cbd451e2bb4615908daef4c499d3b99363970f9b3fc733a7ca02a5e3544856d953089fa7b5a2d3e1c6d9b854478c902df05e3aa4449

\Users\Admin\AppData\Local\Temp\is-O6513.tmp\Utils.dll

MD5 187ee59a602143f172530f71b75570e5
SHA1 a780889fda5ea5f910117d59668a2a1e67dfb22c
SHA256 4158f1981be0233f60476e9c4b7484b46a8e04e6427b77fb6555013cb4c6735f
SHA512 eddd2283fbfe934348460b2a68410538c1b2ec90687e7856d3748fd9fb317e645e377d37807c171ad9975a47e1e2f408ba2d6f659c4923fb9c1b692f54d701d9

memory/2852-125-0x0000000004AE0000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O6513.tmp\img_bg_welcome_normal.png

MD5 b7be6138d495b94db9cdbddf3e1400f6
SHA1 d44df9f8d7976d573d80bd54225cdfae4b6904c5
SHA256 51104ae4322db500770e93075a3ffa96d9ed9214d6b8665d242bf068b1047bb6
SHA512 0b06b425cd995de4fc9faa60aeffd6bf9bfd44af333e0941f7f64b8b53646c8762b962e07cf04405364b9eae113d8aaaaaf1e9a187ec5734b7376658941f797e

memory/2852-132-0x0000000000400000-0x000000000072E000-memory.dmp

memory/2852-135-0x0000000004AE0000-0x0000000004C10000-memory.dmp

memory/2852-134-0x00000000040A0000-0x00000000040B5000-memory.dmp

memory/2852-133-0x0000000003D90000-0x0000000003DD3000-memory.dmp

memory/2464-131-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/2852-184-0x00000000040A0000-0x00000000040B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 08:56

Reported

2024-11-13 09:03

Platform

win10v2004-20241007-en

Max time kernel

390s

Max time network

401s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe"

Signatures

Downloads MZ/PE file

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\map_editor_particle.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\prefabs_ui_template_gvg.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\ui_texture_newspaper_1032.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\lc_raid.dat C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\DownLoadContentServer.ls.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\img_ShareFB.png.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\ui_texture_im_1076.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\locales\zh-CN.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\prefabs_ui_panel_pcend.lb C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\v8_context_snapshot.bin.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\herovideo\herovideo_66.mp4.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\share_hero.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\level0.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\usd\usd\resources.meta C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\embedded_Helper_calssfunc.ls.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\ui_texture_formation_1075.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\ui_texture_iap_1077.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\he.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\usd\usdGeom\resources\plugInfo.json C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\OFList.ls.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\particle_hero_skill_1.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\x86_64\VuplexWebViewChromium\snapshot_blob.bin.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\am.pak C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\id.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\x86_64\VuplexWebViewChromium\locales\hu.pak C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\x86_64\VuplexWebViewChromium\locales\lv.pak C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\particle_5v5.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\lc_raid.dat.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\zh-CN.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\ui_texture_pc_1082.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\tr.pak C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\map_landform_lod5_lostland_map_19.lb C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\x86_64\VuplexWebViewChromium\locales\ro.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\embedded_Helper_calssfunc.ls C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\emoji_1075.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\prefabs_ui_panel_deprecated.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\img_btnBG.png.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\lc_kingdomwar.dat.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\prefabs_ui_panel_item.lb C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\prefabs_ui_panel_formation.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\cef\locales\is-CG4RO.tmp C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\map_landform_items_combined_prefab.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\embedded_LuaObject_init_indexfun.ls C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\map_uv_mtl.lb C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\map_uv_mtl.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\vk_swiftshader.dll.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\img_btnBG_grey.png C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\vi.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\usd\usdGeom\resources\usdGeom.meta.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\x86_64\Ez.dll.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\city_building_decoration_1.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\ta.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\usd\ar\resources\plugInfo.json.meta.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\usd\usdGeom\resources\usdGeom.meta.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\lc_battlepass.dat.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\ThirdPartyNotices.txt.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\usd\usdHydra\resources.meta.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\usd\usdUI\resources\generatedSchema.usda.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\ui_texture_battlepass_1080.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\ui_texture_imperialexamination_1078.lb.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File opened for modification C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\locales\hu.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Program Files (x86)\Rise of Kingdoms\cef\is-22DMM.tmp C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A
File created C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\Plugins\ZFBrowser\locales\gu.pak.cfg C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\LomaN.ttf C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Windows\Fonts\LomaB.ttf C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Windows\Fonts\SourceHanSansCNRegular.ttf C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
File created C:\Windows\Fonts\SourceHanSansCNBold.ttf C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Rise of Kingdoms\launcher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 552 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 552 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp
PID 3144 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp C:\Program Files (x86)\Rise of Kingdoms\launcher.exe
PID 3144 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp C:\Program Files (x86)\Rise of Kingdoms\launcher.exe
PID 1776 wrote to memory of 2664 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 1776 wrote to memory of 2664 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 1776 wrote to memory of 4460 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 1776 wrote to memory of 4460 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 1776 wrote to memory of 4272 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe
PID 1776 wrote to memory of 4272 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe
PID 4272 wrote to memory of 3652 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe C:\Program Files (x86)\Rise of Kingdoms\launcher.exe
PID 4272 wrote to memory of 3652 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe C:\Program Files (x86)\Rise of Kingdoms\launcher.exe
PID 4272 wrote to memory of 2568 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe C:\Windows\System32\cmd.exe
PID 4272 wrote to memory of 2568 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe C:\Windows\System32\cmd.exe
PID 3652 wrote to memory of 3256 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 3652 wrote to memory of 3256 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 3652 wrote to memory of 552 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 3652 wrote to memory of 552 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 3652 wrote to memory of 2956 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe
PID 3652 wrote to memory of 2956 N/A C:\Program Files (x86)\Rise of Kingdoms\launcher.exe C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe

"C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe"

C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp" /SL5="$90058,85193986,942592,C:\Users\Admin\AppData\Local\Temp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).exe"

C:\Program Files (x86)\Rise of Kingdoms\launcher.exe

"C:\Program Files (x86)\Rise of Kingdoms\launcher.exe"

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe

".\cef\cef_helper.exe" --type=renderer --disable-gpu-compositing --no-sandbox --enable-begin-frame-scheduling --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Rise of Kingdoms\cef_temp\cef.log" --ppapi-flash-path="PepperFlash\pepflashplayer.dll" --ppapi-flash-version=20.0.0.228 --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1776.0.2112797869\1626400004" /prefetch:1

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe

".\cef\cef_helper.exe" --type=renderer --disable-gpu-compositing --no-sandbox --enable-begin-frame-scheduling --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Rise of Kingdoms\cef_temp\cef.log" --ppapi-flash-path="PepperFlash\pepflashplayer.dll" --ppapi-flash-version=20.0.0.228 --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1776.1.256228606\210170525" /prefetch:1

C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe

.\launcher_temp.exe replace ".\update\launcher.exe" ".\launcher.exe" ".\launcher.exe"

C:\Program Files (x86)\Rise of Kingdoms\launcher.exe

.\launcher.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c del /q "C:\Program Files (x86)\Rise of Kingdoms\launcher_temp.exe"

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe

".\cef\cef_helper.exe" --type=renderer --disable-gpu-compositing --no-sandbox --enable-begin-frame-scheduling --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Rise of Kingdoms\cef_temp\cef.log" --ppapi-flash-path="PepperFlash\pepflashplayer.dll" --ppapi-flash-version=20.0.0.228 --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3652.0.1190632614\87094821" /prefetch:1

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe

".\cef\cef_helper.exe" --type=renderer --disable-gpu-compositing --no-sandbox --enable-begin-frame-scheduling --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Rise of Kingdoms\cef_temp\cef.log" --ppapi-flash-path="PepperFlash\pepflashplayer.dll" --ppapi-flash-version=20.0.0.228 --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3652.1.498479474\1823338972" /prefetch:1

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe

".\cef\cef_helper.exe" --type=utility --channel="3652.2.1289156793\939315080" --lang=en-US --no-sandbox --no-sandbox --lang=en-US --log-file="C:\Program Files (x86)\Rise of Kingdoms\cef_temp\cef.log" /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 track.lilithgame.com udp
US 8.8.8.8:53 callbacks.lilithgame.com udp
US 34.120.214.113:443 track.lilithgame.com tcp
GB 163.181.154.239:443 callbacks.lilithgame.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 239.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 113.214.120.34.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.77.134.3:443 checkip.amazonaws.com tcp
US 8.8.8.8:53 3.134.77.54.in-addr.arpa udp
US 8.8.8.8:53 rocdir.lilithgame.com udp
US 162.62.83.242:443 rocdir.lilithgame.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 roccdn.lilithgame.com udp
US 8.8.8.8:53 242.83.62.162.in-addr.arpa udp
GB 2.18.190.70:80 roccdn.lilithgame.com tcp
US 8.8.8.8:53 track.lilithgame.com udp
US 34.120.214.113:443 track.lilithgame.com tcp
US 8.8.8.8:53 callbacks.lilithgame.com udp
GB 163.181.154.237:443 callbacks.lilithgame.com tcp
GB 2.18.190.70:80 roccdn.lilithgame.com tcp
GB 2.18.190.70:80 roccdn.lilithgame.com tcp
US 8.8.8.8:53 70.190.18.2.in-addr.arpa udp
GB 2.18.190.70:80 roccdn.lilithgame.com tcp
GB 2.18.190.70:80 roccdn.lilithgame.com tcp
US 8.8.8.8:53 237.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 track.lilithgame.com udp
US 34.120.214.113:443 track.lilithgame.com tcp
US 8.8.8.8:53 psp.lilithgame.com udp
GB 163.181.154.242:443 psp.lilithgame.com tcp
GB 163.181.154.242:443 psp.lilithgame.com tcp
GB 163.181.154.242:443 psp.lilithgame.com tcp
US 8.8.8.8:53 242.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 psp-api.lilithgame.com udp
GB 163.181.154.242:443 psp-api.lilithgame.com tcp
GB 163.181.154.242:443 psp-api.lilithgame.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.170.159.28:443 checkip.amazonaws.com tcp
US 162.62.83.242:443 rocdir.lilithgame.com tcp
US 8.8.8.8:53 28.159.170.54.in-addr.arpa udp
US 8.8.8.8:53 roccdn.lilithgame.com udp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
US 8.8.8.8:53 track.lilithgame.com udp
US 34.120.214.113:443 track.lilithgame.com tcp
GB 163.181.154.237:443 psp-api.lilithgame.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 psp-api.lilithgame.com udp
GB 163.181.154.239:443 psp-api.lilithgame.com tcp
US 162.62.83.242:443 rocdir.lilithgame.com tcp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
US 34.120.214.113:443 track.lilithgame.com tcp
GB 163.181.154.237:443 psp-api.lilithgame.com tcp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
GB 2.18.190.79:80 roccdn.lilithgame.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/552-0-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/552-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0KQ5O.tmp\rokpc_b77577af1ec44f5dbc5df3a6b38f3d24 (1).tmp

MD5 5cce2b5b35ed07f383e213ef97975c80
SHA1 ab516128f2b9aca5006986e7e5c3bf32d5106949
SHA256 ee8be28604a5e3e3c7e23a4acdf8021acb8b8aa9b9b9a4c91415afa0b031499f
SHA512 cd4686aef3e3cb9b6e8eb6ce783f77534c560a86f1dc4105ac97aed987a1f77da06b01f8eca3a50c9a9c63889cf5604f77622c409925d2dcbde5e348122f77aa

memory/3144-6-0x0000000000400000-0x000000000072E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\botva2.dll

MD5 31fc626b6a1d55aa2df23dfa3318b65f
SHA1 8797167dbb74711a593ae7604cfd3956ec1e9a1f
SHA256 96360a72a66bb997a94553f6c65f88d3eb88c294f73a0748a4b0b4444e1a061a
SHA512 c2bdf10f7b29ec4932551c9e509e804e692aae9662d0ac3df6862430c115bb024365f51d28313ede13e2cdbec4084bc7e823513b4be2bb9de4a74be1a50baba3

memory/3144-53-0x0000000004FA0000-0x0000000004FE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_close.png

MD5 ac9e085e7b1fa31b894ac9cb9796825d
SHA1 351d61dd8e9c202889fda63f9dd41256dc14f147
SHA256 a6a15f9f7a5a0d291f125d7a54b2dd0542efbd771a17162f909fee2ca6d67954
SHA512 29178c431cab95083ee3cba2b6d331f19e29344c61af2cf7a326e89d3d2fbe6ab62d781390082ed04e08c20059827003b2184c470c64be25c4b10377105cd8cf

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\innocallback.dll

MD5 b11eade67865ed119b13052ffc4cc3b2
SHA1 2a3096a7d306c4fec2e3464a1803966081732b4b
SHA256 2f8a081a4676fa3753aa4137fea3eeb020c89c2949f3abda9f0bd1c58b0992fb
SHA512 6f545f46253409d1285532fa3090e9accc765925369dc44f356107ecf867ea17c19c885d151c64a12dccd6e616daa7798b27ca1d0a2c1c63a430c20d7a6f323c

memory/3144-62-0x0000000003AE0000-0x0000000003AF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_minimize.png

MD5 0b3b7c59ecab696c9eb476c877ef42fc
SHA1 7b145316582aaff1e5f8bc20641b7826d4448a9e
SHA256 8c28f5f3988e6fedb8209ebb8b3dfaff236629e9651fe37191070067e62c3e13
SHA512 f51ad6335aeaf7708344738e927d629c08d36abc996386ddf1c3823e796a88215ce20de7cd05b2df7b50a3c90e070e060f111e5f794bce5c2d761c245054676e

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_install.png

MD5 0121f768505917ded4ae2cabee93a975
SHA1 a58457e8196be8221a097677c517891096f81f3a
SHA256 849547fe7252100a41768b714cc489e1b86db0ddd7a29996847a1cbc9316d241
SHA512 615889c67518d9314babe37e08064e08b440ff34ac375281e6171e0e670caa5a0683c54f327f563bab48eb73ea5cf941e2ff0234fa31473c7b5be9faedcc01dc

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_checkbox_license.png

MD5 eeb9de9456bd5337b31b4208161c073c
SHA1 0a3e8d1fb0a7c0e7a62c8167bc9aa929746b4aa6
SHA256 fe4d5a565d3fb9ceb3560445007cd07ad2d1b0a653fbc7b2132c921d5c13acb1
SHA512 191d173a40e89e2607b2d61a4ad065f0abaaf13db087d1f58287321311db4c0fdd2ac74f6aee9dbe01ac1ef2248ddcd88421d0c45e53a3c56ab237d1b06638c3

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_custom_down.png

MD5 4c4f7109932ea77b3a7047b59e7ae63c
SHA1 7aa6be51b82b70b9ad6bc7cf2a2db6f4947c8fc9
SHA256 bd58c796075fbaec82063b6dc8b5a324f5fc97c755afb1c5ea57d4bcec31293b
SHA512 3a6610e72a3e67d15fa9b60979615faf386f42bcc3575a3f8e900696ee9dfc55a13f8cbe36ea6d889eccb1ef3dfb279ffc808335e390b7bde36541539004fe50

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_custom_up.png

MD5 a60a8c8291d334947f7a2d75bc993dbd
SHA1 daf580ad29d1b0301df6b46e0a8cfb508da89dda
SHA256 d512daef5b4b9773ec0f6ba1b1ca11fee3608d7f8f4d2717cdb723ee43b2435a
SHA512 b7cbbe7474e3a5a55934b1441ed0f6ab54a6f5588f24c580f81b453a8610ea4197bce09be6c22a9dec2411402ff17782bb41483333ac19296ca4c78e80c3aa79

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_browse.png

MD5 557ef0035a4ec8c2e9b9b2fb72f3f365
SHA1 37d806c561423135b876ce5d7e0cd9c11714d88e
SHA256 c48a1fd484651a02d82e9ccb959d75b2a61045ee9cd2f44c0b02d823d4f7f615
SHA512 2b85c1ff060a8e93d361d03f32e64669b8b32200883e622fde2f09ebaf98ecc7fca1432e7d70d4a3c1ebe01f80eb19882845220ddece718b75004f08e4fee011

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_bg_progressbar.png

MD5 a0f3b54b3272d53201b623756c03b978
SHA1 83e3e93e3d89f551d01ef6d7aee4152289b366e6
SHA256 25a39e36b417bd404b351595a5913c0dc8100bed2c45b5db9e740173cd4ab8b4
SHA512 1a0ac15b8948f84a891c5ea995faf1ad6c3f448dae2793941e7cb8cc44693d67086bd1b0934c7df9d83918e7cde2263c39ee354149a0b311acbe70c0f2011b21

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_confirm_green.png

MD5 71704690e907b6b469a95ba33fa1bd28
SHA1 b22112a849cb274574f181de3e346bf060369076
SHA256 f943b01cc918929594c7ae03b2076bc4a7bdd48a409a193eebb6020d137c517d
SHA512 3f8dd6c76a416ab4d169994f2bd75065dd88d4a9162cbf0884a2df4ce92a35efa123fe17e837bb1063070a25908f220e5d84f9c90821927f6e042d6a5534c2f6

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_bg_msgbox.png

MD5 c274ce35113c17a0f04a41b57194173e
SHA1 a8283ea123723a0c1153668845204734df1f4f42
SHA256 c5e19800a6658914a4f4725d27e17300ba26f41bea5ef6f3bc0d935513e27ed9
SHA512 f16f4303a5517f1b5371e01d7d0bb2c5d628fecccf7708f19fef156565b7476af88cb5e21d86252e1bfbc0d69efc9e9ff542758b6bfb8025bc300cc9e820652a

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_cancel.png

MD5 d8fb2305f8a45a9c2ed206f8c2b254c9
SHA1 37c4254e27cf6872e2916aa54231dfab2f7a33a1
SHA256 571d9b96c4ae5804b02802f2c30e58e681bf3b84dd28bf8fc53b64b72652e0d4
SHA512 bb97610e8000cae5c2800cbd451e2bb4615908daef4c499d3b99363970f9b3fc733a7ca02a5e3544856d953089fa7b5a2d3e1c6d9b854478c902df05e3aa4449

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_btn_ok.png

MD5 687049069ec551f74bbfb7330da244e1
SHA1 9eebd1b8230b87af6fb68ccb659b5db323f793d3
SHA256 315ea50061cb140344e7933672775b179fe9c47d241936bae56e5622a24dadcc
SHA512 7928b9eff114e0385b04554a39d698777a8ba8a5e596329b9e7e4639d0291f14d19362a072ba211894564b12c85f5112f3282d913aec4846fcb687adf002df23

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\Utils.dll

MD5 187ee59a602143f172530f71b75570e5
SHA1 a780889fda5ea5f910117d59668a2a1e67dfb22c
SHA256 4158f1981be0233f60476e9c4b7484b46a8e04e6427b77fb6555013cb4c6735f
SHA512 eddd2283fbfe934348460b2a68410538c1b2ec90687e7856d3748fd9fb317e645e377d37807c171ad9975a47e1e2f408ba2d6f659c4923fb9c1b692f54d701d9

memory/3144-129-0x00000000054F0000-0x0000000005620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_bg_welcome_normal.png

MD5 b7be6138d495b94db9cdbddf3e1400f6
SHA1 d44df9f8d7976d573d80bd54225cdfae4b6904c5
SHA256 51104ae4322db500770e93075a3ffa96d9ed9214d6b8665d242bf068b1047bb6
SHA512 0b06b425cd995de4fc9faa60aeffd6bf9bfd44af333e0941f7f64b8b53646c8762b962e07cf04405364b9eae113d8aaaaaf1e9a187ec5734b7376658941f797e

C:\Users\Admin\AppData\Local\Temp\is-NSNAQ.tmp\img_bg_installing.png

MD5 def9d506f4bba072b79aaf2560502d9a
SHA1 64e785912b9be1f8c8001fab5c8be962e54d7596
SHA256 7d0dd459ccc89634bc8b895770df97e96d488a10a9d8ee95f0260d044cf3c27f
SHA512 7a30054f7e3079624deea2b020cfd2de6e0d02e81d7d3ace76474e5e98c9fd791fe842687a7d08d0c490492706276ef35bc5c430328a1a59f4ec0f4e2847997f

memory/3144-138-0x0000000000400000-0x000000000072E000-memory.dmp

C:\Program Files (x86)\Rise of Kingdoms\launcher.exe

MD5 c5782170ef7631dc4055c65a0fcba913
SHA1 e812e2581e66f88000ff91097cb2f5d1c21c12b6
SHA256 724016bb503721721b146af171d169023746da130ffee4c5c24f76884a292ba3
SHA512 1b387b614620733c169c56ff18fb113c62685fd38559527789094e232e79a0183534a2500a6bb8f2e96696f5659f9285e95d8d10f29b3336622126c3cf63efe7

memory/552-203-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/3144-208-0x0000000000400000-0x000000000072E000-memory.dmp

memory/3144-217-0x00000000054F0000-0x0000000005620000-memory.dmp

memory/3144-216-0x0000000003AE0000-0x0000000003AF5000-memory.dmp

memory/3144-215-0x0000000004FA0000-0x0000000004FE3000-memory.dmp

memory/3144-228-0x0000000000400000-0x000000000072E000-memory.dmp

memory/3144-349-0x0000000000400000-0x000000000072E000-memory.dmp

C:\Program Files (x86)\Rise of Kingdoms\cef\devtools_resources.pak

MD5 37936cb4d567ec68a1f22b5f923fd14f
SHA1 d85de3ce443335c6065a248801f56e9fa1ba3736
SHA256 de7fad0fb516c05ba2470d97d31e86ad44f5269c6b4fadaeb6ac955f4dc1a6d7
SHA512 5c08bdff7c6ac3724a277e2287eec2effc12793dae6fe05e99e772c0c0a3aa262e7d13a7569756466aa1c4bd9e1fc2f04c38adc34b38fdab0e5765dec7f1fcc1

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_extensions.pak

MD5 6e727928ebeeeb5847c65c15c41802ed
SHA1 d22ba6f8e3160484dd40fd5f4eb685182f404d88
SHA256 221a97daf8263321ceb9ce244452fc97b865b561e399b23d42682fef4785ea7f
SHA512 d39e98d8d2e9afc84f8188e27e412079667df2174da14f93f451396ea1a27fd5abf9fb8218ff02c94b56c60e7e5e59a5819d50d2463ef6f6ad71d29cf1f155a8

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_100_percent.pak

MD5 ad2ddfc39c78eedc734af6506a579a8c
SHA1 64e66d48ab3a98503948202dec3ff2f35470cd5b
SHA256 58f7ce00d589aaaebfaf3d0badac45924545e49f2d1531156f282eac7abb11b5
SHA512 7482b0c4c51bf4d3c3389a6ccf9c59307911ba793116bac04077594d9b3d6f54a07e6187764201fba8bb31ede88b9ff65ab6867a2526e0f8e7b16136f7978367

C:\Program Files (x86)\Rise of Kingdoms\cef\cef.pak

MD5 4d991b6db94e823aac8cef6eb1959662
SHA1 84856f2eba08c5ad2df6a946e0eb7519bc9fb6cc
SHA256 2e07dc909efb9d9316e15452f168581966bdc7ad8fb607d3d3a339aaa8dc0266
SHA512 9842bf88339eaed96f81e82b1f1b15f6fe259449097e44f5d7738cd0aa79786da5e0b777d84b9a6a1c08bf3d0edfcf71c9cb396bd6c78145c5dfd171b8384f1f

C:\Program Files (x86)\Rise of Kingdoms\cef\locales\en-US.pak

MD5 ea20f7ef299ca680a72e9163c8ed0093
SHA1 f9ef3b9cc76f34f83142e1fcb67bf5c3f9031953
SHA256 a76263a6b5c969a0b0a2cc90bdb86d35f3adaddef41884fa84832c24b0940192
SHA512 c0d217475e81a629abce4cc3557f1ae3422eefcb27c71a36cdba607036977492eb5c28f31f3b9e9724fbda78661d29f27db816d18b86efc845b015298a6fe53d

C:\Program Files (x86)\Rise of Kingdoms\cef\natives_blob.bin

MD5 8f4d6515f4d321313a39a659c3c5ff01
SHA1 f4c95f1abd24c715a3dd4b3e4c9cff5decda7250
SHA256 7d9c0c4d88618bdd16bb0681fdec1dd736e2ed1141ae527a27b22fb93f27848f
SHA512 3c00eb9a8ca8d076140df0071cfa702e1c032edbc20481bb7f7b7a88c1a82c959b8ac901182c2f9d235f55b4528c8e12b1e765119f1e784645c61f66c1c2b007

C:\Program Files (x86)\Rise of Kingdoms\cef\snapshot_blob.bin

MD5 f4f1cb8317868f36ffb3c57978167ae6
SHA1 fcf94677714fef6e1fadc7914c5c2c123f8aed56
SHA256 e32f9e538a286ea29adafa20d0269af7278cfc0f8899ea75281f4037c65ca00f
SHA512 cce41cfaf4a9a9f4600c97dc3882f38a0e55cfe6884f8c4f83d062a0253d035ff5d510805f88edf83e1a97a78c8a1dbf9282d8c24a0d2693e0c4e6cb6aed80dd

C:\Program Files (x86)\Rise of Kingdoms\cef\icudtl.dat

MD5 d03ad9a1189d190119209072d048e428
SHA1 aa954098e3ae4c00f67bace45b39a7b4a8242c6a
SHA256 2857fbe46d007307b1e204c6eb1b7e4988973b958ec8edb07445988f332c1ab5
SHA512 4f73a2c0ceef525e5947dc6eeb7608db40e535eeadb37d83842bdd638eb4d9114f3654d8094c0b72c66ae4bb0214b0947cd4fe2b56426f778c07f3cac5faea21

memory/3144-363-0x0000000000400000-0x000000000072E000-memory.dmp

memory/3144-362-0x00000000054F0000-0x0000000005620000-memory.dmp

memory/3144-361-0x0000000003AE0000-0x0000000003AF5000-memory.dmp

memory/3144-360-0x0000000004FA0000-0x0000000004FE3000-memory.dmp

memory/552-364-0x0000000000400000-0x00000000004F3000-memory.dmp

C:\Program Files (x86)\Rise of Kingdoms\save\gid.txt

MD5 16d5240775f9e54fd103414863497a28
SHA1 5fef7ae0711988406c5ed1a6c2ad98362b93d572
SHA256 748fa57c110a70c0689fb05084da9dcea37bac6a00edabfc3026c0b16adc3176
SHA512 229db425cc4f349e4ff376bddcf145bd36f2a51336cea269c6cd64df7187413cb00d14c6f5abe4f419a706a4bfee3e1e16e5bcec1bef3d585ed8dce6608713e9

C:\Program Files (x86)\Rise of Kingdoms\launcher_version_map.txt

MD5 7b6f2eb5311c09adcbe317e2f9ed0463
SHA1 1124337c998ee22ef0c71c371e6394fa3b5adead
SHA256 c908c26aa2aa4ac75f58cba8b93ea327364db38cfca8172337306b2b06349244
SHA512 2b4faf2c2e6822fee14b69cf7b093c48741b427c858956cc2aaa7cc77db081d6fa5845e910be8ba9e2ca9d382212d6489631b7195b8474262a92a85ac89b7019

C:\Program Files (x86)\Rise of Kingdoms\save\extra_config.txt

MD5 c21cbc069f5b86f462741a53e498214e
SHA1 a17039fcdd8e7b9abc01d923e3245f29b6608a83
SHA256 45dfb50c5eb4c466bc90c23a77158aa34ea50352c825089c21fdd680328a287d
SHA512 a66253880d8f29d4c9ef1e1eda5eebe9162f411aed9ca4a442572bb17ef63fe17daf33c1673a1abbd3321675fd7c9064998642a637a36f94e2be88bf46e1d74f

C:\Program Files (x86)\Rise of Kingdoms\cef\cef_helper.exe

MD5 268c09b97ec97307464edc76e51fae9d
SHA1 82625950cc91acb9de9d942d06173b062cd7ec34
SHA256 de65d9d3437b45e45ab689a9c3ad1bd35f4f97967cacc97bdce9d50cfd4f7a3d
SHA512 58ed50b3df711039693294f5c74edf42eb1ad2382dc1b4a8444013a60354860c7b15c83718c8aea7b38310744afa49fcb599d9ac714de72f625dd762fae15500

C:\WINDOWS\FONTS\LOMAB.TTF

MD5 f3b53823af2f4a8be30951f31e3fdd36
SHA1 7e24f95dea6340eaf372070f3e5787e124b29820
SHA256 d8d7e7b545666f8552e3bbf36b792f532f9bd009c2d6ca8f649ca8b16a42fd66
SHA512 f1084b20ab33ee6db36042a5457571094ebac20538568f66e199f36d35cf27dea27852562778cf13090d73e55d44a3422ef8a1d6ed1e266c5d27e8077b1c3a88

C:\WINDOWS\FONTS\LOMAN.TTF

MD5 36ea51b0328fbff71abefe1ae097ad4c
SHA1 5f9debe806520db19ac95097e14f414b71648f99
SHA256 a3083528415b2023c3104b8778d56de293a44d868f595c757b108c4f33144b26
SHA512 71734265dddf27849cee786b037f635ebb67123367b46ad3bbff81a636ae2c665f4c328448de5c6e4cf12b4ed42141e1407fa99fd299aec615c11b7bc0358ac4

C:\WINDOWS\FONTS\SOURCEHANSANSCNBOLD.TTF

MD5 776f617315df79419f8207313cb7e734
SHA1 e1ce31a3898b8569656be5e4ed9c9808b9bf5491
SHA256 6f3e7f02a3195f1407345ab7c9ec735251d501b76279953dac32d62d9ef45cc5
SHA512 a8bd4029e2fee4dbb87874bbc793a943d45b88a251692a7d6e4c6e5b4e805ead1aa8bc1347bafef3a8c349bd4b011a56bc5a3816bb0a72b2cd5797f9166e9a01

C:\WINDOWS\FONTS\SOURCEHANSANSCNREGULAR.TTF

MD5 6d4053d81311bf391df6578f8f456d2b
SHA1 06be20c0aabfd7898b445cb3f2480830d612946d
SHA256 1e1e3d86938b40ca4d7cdf10ec06d9a5ae59457cea98456f66f2a05d20202e34
SHA512 6d052753632bdf0fa57f383a36640cbef8c282d02520524c25d9a74f02c7adc440ceeaa81181316d966dd68f8fdc297d3a2950829bea3fb118f09723a32767b3

C:\Program Files (x86)\Rise of Kingdoms\tmp_launcher_version_map.txt

MD5 fa04a1d141356ee3d9f54ea6600f803b
SHA1 74023f67795c02959ef7d540d4cc1d1172c79862
SHA256 6e667f171d185c825c66f2c6c9cab9bdda348d9166666b0d5d7ebca269b8dedb
SHA512 9ded60e95d67e3a5950a22c705ab2a41039003a480019bcadeb92ff33c1b1858de851183b075d4e31c4be7ede0028e21fa0de8be539ef6adc63b1f5a60b0a178

C:\Program Files (x86)\Rise of Kingdoms\update\launcher.exe

MD5 36c835b181577e9c5eba7540b64e8e36
SHA1 5092a2fe3fe024ea0ac77297182e68790e31cf4a
SHA256 cbc84147e0074fc7f96a52bf9a58e33769dde182856aef72da1dc946749c0c06
SHA512 80edd4bcaf801e57fcde84abe7cb5db9d65cc98f2db925b92a1c02d45670b2d0f668f42e4ff82b17cdeebd41d442bdf03fdfd6c77ec4eb80c024e6ace1fe9d2c

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\Visited Links

MD5 c96d149716ac9e386b99b90053108196
SHA1 6909d4bebb39a922e5a23cdbfbe4c79d92116cbf
SHA256 3b4ee4b8bead1ca501585dfdc7058320d61d39cb5fccb483694dd1bd039f73bc
SHA512 4aeb90533dc472acc3ed3cc1ae47902b3a7d47514a6c1288ef565da2b230581806e042d020b098d495aae9e65716ae49902baf68c304b52cc9de4eeda19bfb64

C:\Program Files (x86)\Rise of Kingdoms\save\Log.json

MD5 bb66ccd6bb085fe61b655e69136a2b86
SHA1 d7849f6326fb8dd59b0812ab67c66d778f329db4
SHA256 db222e0857b85171bb9c23a7d297bf93ce24d8585e0c9e8659d96be2eb7cc66f
SHA512 d80e3da2815fedcdb519fd4bf86ed46c6522b099ee282a6590cc47fcb66a09c1151a53e365479c2fd566dc016d69d460e9c773b3652043bce1352f909f0ffa5e

C:\Program Files (x86)\Rise of Kingdoms\save\EnvConfig.json

MD5 4b527b1cc8e9e4585726d9410ec8f50d
SHA1 ce00b39251508b71d4065343854d712c4c94cbb0
SHA256 f23f9b7beae381c19d90efea73a15433ad04a5921069ba56644c54c16491e3b5
SHA512 f761ffb2260c9c5263243caadef064a618031686ea07cef0d407bfb56b47b225f36cedcabe1125a809e2c11927c3f626e7f08327b7cbe56e29d19ddaced43e07

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\Cookies

MD5 7c8cff63b63e3239070d45f33d0635f5
SHA1 8dd87fdc5a034fa5502d1be1a8a19cf8136288be
SHA256 7057fc58661175629db5531c69e65dda06e1c5d28e62f65c46d832cd3b7814df
SHA512 30c755265f88d7dab2000f4c7d6723973c39b1519add330e9c0774f330f4430596242ec70cde5fd2a6ac0ce1ab2a970b58648dfa1906c6fd482ee88779ca81f1

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\data_3

MD5 e9a6ab1a6438793337a9077e585a1b64
SHA1 4b7c0fe3e64cf79425b6aa0d3da80804bab94afe
SHA256 8b7ad24d7fcacefde28838f055749f2b74399a62655d7b2aa205eb3ec8b03549
SHA512 377b44ed6d019c84938425a045654fff3c182150ce67fc3baba5a54cdb33574e9ad4187cca191c40f6478c8ef18da373932095f8978346031777713b577f9302

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\data_2

MD5 141fd072d246ed81129033292403a3d1
SHA1 7da5d138fe8eab8d5b1379c31988cae736f82195
SHA256 2b6bd39dd3abf5e02212c503a9194fc43039ccf530a15790d14f410ebb5852ce
SHA512 33a51e518b37521e8efc1d69a674e56293f3bd3d304ba6ef7e2f3629b59cbad5636b02b3cbcd994a83ce302a9140058c442b5f23b1fc2ec92d7d54a2ef00e06c

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\data_1

MD5 b24be0a3d993ed9d708fed94b40fd12b
SHA1 8e270f604ac14aef6b788b8a67c832cc9d16fa1b
SHA256 325528b1b0fe1253d96b46f7053013774f1e9d444936ba5efdfbca0e9936ea60
SHA512 f1dddfb16e0a4fd562700e803e86e2ecf5c8a134f9ca8dfdcb32b2d8ef1614c5318f780260922c303e4a31c609472389213b535d3031e2052eaa31b98cabe658

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\data_0

MD5 d25ba124781f27bc9c03b74e628a6efb
SHA1 3a7be278f338386f01c1cc101edd0e2852e9ac3d
SHA256 a9dee731bb339c48c56596b1e4b397643d71de91db905af055ea64701b5fb237
SHA512 e58fee4596cf3e5e794ccf36a1169a9e67ddf000d1209bcc7d05798c7ba10cc2b144d23fb4fe92c60eb66e3cfade901ee0f8f222f2087d003df6fcce67eb9c79

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\index

MD5 06e57df95ce0132859f3084cedc10ccc
SHA1 0ac87a614f9bf78c7d048b2bce458c9a14f1b44d
SHA256 4e8eb106bda7d8fd4344bf06928aa38c1e2b6136e4e2fcf5513c6368c6fe0c3a
SHA512 1d1db498f165f6f38cadb2d662f13223c07aec23e4116b4a637a34bf5959e5fbfd2c18dec9f751a4dcefcc0fe76f5c204254cb7372aea34c07c5a51ea872b4bb

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\f_000001

MD5 c1c179212c127a82044b128ad8f795ce
SHA1 c649a6e8e02b4e38679381443f240cc625e7fd5e
SHA256 69871f392ad276e86d86e91eb314ff99c4dd7ad8ca751aea2e1ed3d772abeacd
SHA512 2b1072483b6d5b876dbc6549862063898f8c6c0cf7ad5041b0692e8d2f50ffa8572b2f0fb7b6caedb7faf5ce8253c8f1c34cc4ef39787b9936c82557948a8ebd

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\f_000002

MD5 33c00519a63d2a455306c4a0a01c4f90
SHA1 5e7574aa1578869e00b4e708e9a231cc09e06b48
SHA256 757f59196187e47ec0809e9b974ca45e896f9b2d4154822f1483ed2b1425d238
SHA512 21143028d2370f8e07b44d765788fb0dabcf687645edafda2c7cd357391153ce0914c166ecdd05830577edea186e5854c4871b63a957b7b4e122ef7ac3fdb43f

C:\Program Files (x86)\Rise of Kingdoms\cef_temp\CefLocalStorage\f_000003

MD5 9aa9074e6e870807cbada0f0c2f8347a
SHA1 b5e16304f7135861baa6c3322318342067cccc37
SHA256 8eb996d931f00b6f3e9b650bebb9caddb0f249cc0461dbf41e0681a2e84f2c0f
SHA512 d83d92784ffe9f35decf9599cbdc16e3f2c6d74a68d120b1d3c40ba2037b908a5b6b1cd802a3468fc608a456dd4fedcd1ccf8eb12de939867f9e329fa4f8479f

C:\Program Files (x86)\Rise of Kingdoms\update\MASS_Data\StreamingAssets\cursor\pc_cursor_3.cur

MD5 549f5e1877b6cdbf94bc63a75634f439
SHA1 59ed1c0d563bf2ff5e3fcbba525bebbd5bbc0f8e
SHA256 602b2b25859fef234dfc1e1fa0d2f98a8401cd77aa3c09eed9364a2f664198be
SHA512 e3f468922636538f77aa319af55013deb93d18785bf93d8ed453809ffc7e89108ef3b3e1602affefd8b5d1090ec5f34bec6217e369b6c95ee3329dd02e4a6277