Edit tour

Windows Analysis Report
NhWAWEhCi7.exe

Overview

General Information

Sample name:	NhWAWEhCi7.exe renamed because original name is a hash value
Original sample name:	1409b5a7ac2a6be45fa954730b058da4.exe
Analysis ID:	1465150
MD5:	1409b5a7ac2a6be45fa954730b058da4
SHA1:	00eab66887ff6ff4d6325d8a0e74adb624faf6de
SHA256:	1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688
Tags:	DofoilexeSmokeLoader
Infos:

Detection

LummaC, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected LummaC Stealer

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

NhWAWEhCi7.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\NhWAWEhCi7.exe" MD5: 1409B5A7AC2A6BE45FA954730B058DA4)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

9FC5.exe (PID: 7716 cmdline: C:\Users\user\AppData\Local\Temp\9FC5.exe MD5: BD2EAC64CBDED877608468D86786594A)

D57C.exe (PID: 7824 cmdline: C:\Users\user\AppData\Local\Temp\D57C.exe MD5: 60172CA946DE57C3529E9F05CC502870)

setup.exe (PID: 6848 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)

GamePall.exe (PID: 3524 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6576 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6552 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 7124 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3784 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6304 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013536112 --mojo-platform-channel-handle=4012 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013552940 --mojo-platform-channel-handle=4092 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3468 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5264 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6472 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6924 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3584 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6744 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6968 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 7448 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6092 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 732 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3120 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 4940 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 4584 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3872 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 7800 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6780 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 7428 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5768 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 2112 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3192 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

bbehcjh (PID: 7648 cmdline: C:\Users\user\AppData\Roaming\bbehcjh MD5: 1409B5A7AC2A6BE45FA954730B058DA4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1751429960.0000000002EED000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x76bd:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.1990395663.0000000002C50000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.1990497088.0000000002C7C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x75e5:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Process Memory Space: 9FC5.exe PID: 7716	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 9FC5.exe PID: 7716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9FC5.exe PID: 7716	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 6848, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\bbehcjh, CommandLine: C:\Users\user\AppData\Roaming\bbehcjh, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\bbehcjh, NewProcessName: C:\Users\user\AppData\Roaming\bbehcjh, OriginalFileName: C:\Users\user\AppData\Roaming\bbehcjh, ParentCommandLine: , ParentImage: , ParentProcessId: 6092, ProcessCommandLine: C:\Users\user\AppData\Roaming\bbehcjh, ProcessId: 7648, ProcessName: bbehcjh

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Avira: detection malicious, Label: HEUR/AGEN.1313486

Found malware configuration

Source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 9FC5.exe.7716.6.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Virustotal: Detection: 22%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Virustotal: Detection: 11%	Perma Link
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: NhWAWEhCi7.exe	ReversingLabs: Detection: 60%
Source: NhWAWEhCi7.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bbehcjh	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NhWAWEhCi7.exe

Joe Sandbox ML: detected

Source: NhWAWEhCi7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Jump to behavior

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.9.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 0000000A.00000002.3684752300.0000000005492000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000A.00000000.3346816401.0000000000662000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000A.00000002.3684752300.0000000005492000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.9.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000009.00000002.3699086697.00000000006B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000009.00000002.3699086697.00000000006B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\libGLESv2.dll.pdb source: libGLESv2.dll0.9.dr

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1694

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 9_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 9_2_004066FF FindFirstFileA,FindClose,	9_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 9_2_004027AA FindFirstFileA,	9_2_004027AA

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.61.54.32 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyz
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php

Source: Joe Sandbox View	IP Address: 139.45.197.238 139.45.197.238
Source: Joe Sandbox View	IP Address: 139.45.197.238 139.45.197.238
Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1

Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1085
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1423136
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1423136dumpTranslatedShadersWrite
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1452
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1452expandIntegerPowExpressionsThe
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1512
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1637
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/1936
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2046
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2152
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2152skipVSConstantRegisterZeroIn
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2162
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2273
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2517
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2894
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2970
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/2978
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3027
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3078
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3205
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3206
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3246
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3246allowClearForRobustResourceInitSome
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3452
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3498
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3502
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3577
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3584
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3586
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3623
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3624
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3625
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3682
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3682allowES3OnFL100Allow
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3729
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3832
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3862
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3965
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3970
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/3997
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4214
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4267
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4324
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4384
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4405
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4428
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4551
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4633
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4646
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4722
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/482
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4836
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4901
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/4937
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5007
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5007disableDrawBuffersIndexedDisable
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5055
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5061
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5281
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5371
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5375
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5421
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5430
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5469
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5535
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5577
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5658
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5658forceGlErrorCheckingForce
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5750
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5750forceRobustResourceInitForce-enable
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5881
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5901
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/5906
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6041
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6041forceInitShaderVariablesForce-enable
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6048
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6141
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6248
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6439
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6651
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6692
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6755
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6860
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6876
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6878
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6929
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/6953
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7036
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7036dumpShaderSourceWrite
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7047
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7172
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7279
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7279cacheCompiledShaderEnable
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7370
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7406
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7488
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7527
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7553
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7556
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7724
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7724disableAnisotropicFilteringDisable
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7760
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7760enableShaderSubstitutionCheck
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7761
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/7761disableProgramCachingDisables
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8162
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8172
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8215
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8229
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8280
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8291
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://anglebug.com/8297
Source: GamePall.exe, 0000001D.00000002.3789631427.0000000003147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 00000016.00000002.3863102483.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity.0
Source: GamePall.exe, 0000001B.00000002.3940827175.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity.0H
Source: GamePall.exe, 0000001D.00000002.3789631427.0000000003147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 0000001D.00000002.3789631427.0000000003147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz
Source: GamePall.exe, 0000000A.00000002.3555995225.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g
Source: GamePall.exe, 0000000A.00000002.3555995225.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g4
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000001.00000000.1737455091.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1094869
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/110263
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1144207
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1171371
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1181068
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1181193
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1420130
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1434317
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/1456243
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/308366
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/403957
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/550292
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/565179
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/642227
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/642605
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/644669
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/650547
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/672380
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/709351
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/797243
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/809422
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/830046
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/883276
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/927470
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/941620
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1737455091.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000001.00000000.1737455091.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: libGLESv2.dll0.9.dr	String found in binary or memory: http://issuetracker.google.com/200067929
Source: GamePall.exe	String found in binary or memory: http://logging.apache.org/log4ne
Source: GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: setup.exe, setup.exe, 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, setup.exe, 00000009.00000003.3348136916.0000000000716000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000009.00000000.3053813392.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, Uninstall.exe.9.dr, D57C.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: D57C.exe, 00000007.00000000.2209378492.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, setup.exe, 00000009.00000003.3348136916.0000000000716000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000009.00000000.3053813392.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, Uninstall.exe.9.dr, D57C.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000001.00000000.1737455091.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1738326788.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1736472376.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1736965256.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 0000000A.00000002.3555995225.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GamePall.exe, GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe	String found in binary or memory: http://www.apache.org/licenses/LICEN
Source: GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GamePall.exe, 0000000E.00000002.3897914441.0000000006261000.00000002.00000001.00040000.00000021.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: D57C.exe, 00000007.00000003.2212201510.0000000003090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1742888423.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/4674
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/4830
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/4849
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/4966
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/5140
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/5536
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/5845
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/6574
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7161
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7162
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7246
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7246enableCaptureLimitsSet
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7308
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7319
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7320
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7369
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7382
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7405
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7489
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7604
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7714
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7847
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/7899
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/8308
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/8315
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://anglebug.com/8319
Source: explorer.exe, 00000001.00000000.1737455091.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1737455091.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1734699317.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734040387.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1737455091.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1737455091.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1737455091.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: 9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: ar.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ar&category=theme81https://myactivity.google.com/myactivity/?u
Source: ar.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=arCtrl$1
Source: bg.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bg&category=theme81https://myactivity.google.com/myactivity/?u
Source: bg.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bgCtrl$1
Source: ca.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u
Source: ca.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=caCtrl$1
Source: GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: ja.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u
Source: ja.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=jaCtrl$1
Source: lv.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u
Source: lv.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=lvCtrl$1
Source: te.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u
Source: te.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=teCtrl$1
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, tr.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: tr.pak.9.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=trCtrl$1
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://chromium.googlesource.com/angle/angle/
Source: 9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/1042393
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/1046462
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/1060012
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/1091824
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/1137851
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/1300575
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/1356053
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/593024
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/650547
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/650547callClearTwiceUsing
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/655534
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/705865
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/710443
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/811661
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://crbug.com/848952
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1742888423.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: 9FC5.exe, 00000006.00000002.2229430748.0000000001232000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127132469.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/
Source: 9FC5.exe, 00000006.00000003.2126935511.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127132469.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/#
Source: 9FC5.exe, 00000006.00000003.2169023447.00000000038E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/)
Source: 9FC5.exe, 00000006.00000003.2227498984.000000000122A000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227718724.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.0000000001232000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000002.2229430748.0000000001232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/F9
Source: 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127132469.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api
Source: 9FC5.exe, 00000006.00000002.2229611339.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.000000000122A000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227915980.0000000001234000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227718724.0000000001230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api)
Source: 9FC5.exe, 00000006.00000003.2185744877.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185906229.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apiD
Source: 9FC5.exe, 00000006.00000003.2185744877.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185906229.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apib
Source: 9FC5.exe, 00000006.00000003.2201140092.0000000001232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apim
Source: 9FC5.exe, 00000006.00000003.2227498984.000000000122A000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227718724.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.0000000001232000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000002.2229430748.0000000001232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/bu
Source: 9FC5.exe, 00000006.00000002.2229430748.0000000001232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/pi
Source: 9FC5.exe, 00000006.00000003.2126935511.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127132469.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/pii
Source: 9FC5.exe, 00000006.00000003.2185744877.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185906229.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/s
Source: 9FC5.exe, 00000006.00000003.2126935511.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/v
Source: 9FC5.exe, 00000006.00000003.2185744877.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185906229.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/w5
Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2199759534.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop:443/api
Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop:443/api;Y
Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2199759534.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop:443/apiuY
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: 9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/161903006
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/166809097
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/184850002
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/187425444
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/220069903
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/220069903emulatePixelLocalStorageEmulate
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/229267970
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/250706693
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/253522366
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/255411748
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/258207403
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/274859104
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/284462263
Source: libGLESv2.dll0.9.dr	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000001.00000000.1742888423.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bg.pak.9.dr, ar.pak.9.dr	String found in binary or memory: https://passwords.google.com
Source: ca.pak.9.dr	String found in binary or memory: https://passwords.google.comCompte
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000001.00000000.1742888423.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: GamePall.exe, 0000000A.00000002.3555995225.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/4/4284489/?ymid=831224434781065217
Source: GamePall.exe, 0000000A.00000002.3555995225.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/4/4284489/?ymid=831224434781065217&var=4284488&price=
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: 9FC5.exe, 00000006.00000003.2127474613.000000000393F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: 9FC5.exe, 00000006.00000003.2155458700.0000000003A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 9FC5.exe, 00000006.00000003.2155458700.0000000003A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 9FC5.exe, 00000006.00000003.2127474613.000000000393D000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127629896.0000000003936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 9FC5.exe, 00000006.00000003.2127629896.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 9FC5.exe, 00000006.00000003.2127474613.000000000393D000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127629896.0000000003936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 9FC5.exe, 00000006.00000003.2127629896.0000000003911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: GamePall.exe, 00000013.00000002.3421009126.0000000001337000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/l
Source: GamePall.exe, GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp, GamePall.exe, 00000013.00000002.3456616620.0000000005916000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1742888423.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1742888423.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: 9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, te.pak.9.dr, ja.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: ca.pak.9.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat
Source: GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: lv.pak.9.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&al
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, tr.pak.9.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: 9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 9FC5.exe, 00000006.00000003.2155458700.0000000003A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 9FC5.exe, 00000006.00000003.2155458700.0000000003A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 9FC5.exe, 00000006.00000003.2155458700.0000000003A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 9FC5.exe, 00000006.00000003.2155458700.0000000003A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 9FC5.exe, 00000006.00000003.2155458700.0000000003A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Code function: 9_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

9_2_004055E7

Source: GamePall.exe

Process created: 58

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1751429960.0000000002EED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1990395663.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.1990497088.0000000002C7C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401538
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	0_2_00402FE9
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014DE
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401496
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401543
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401565
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401579
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040157C
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401538
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	5_2_00402FE9
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014DE
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401496
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401543
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401565
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401579
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_0040157C

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Code function: 9_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

9_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 9_2_00406A88	9_2_00406A88
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_00EE4F58	10_2_00EE4F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_053E5F38	10_2_053E5F38
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_053E6808	10_2_053E6808
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_053E57F0	10_2_053E57F0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_053E7A38	10_2_053E7A38
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_053E7A28	10_2_053E7A28
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 12_2_02BB1049	12_2_02BB1049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 13_2_02244F58	13_2_02244F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 13_2_02243860	13_2_02243860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 14_2_012A4E20	14_2_012A4E20
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 14_2_012A1049	14_2_012A1049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 16_2_01204F58	16_2_01204F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 16_2_01203860	16_2_01203860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 16_2_01201049	16_2_01201049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 18_2_031E4F58	18_2_031E4F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 18_2_031E3860	18_2_031E3860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 18_2_031E1049	18_2_031E1049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 19_2_017B0EE4	19_2_017B0EE4
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 22_2_01124F58	22_2_01124F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 22_2_01123860	22_2_01123860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 29_2_01624F58	29_2_01624F58

Source: NhWAWEhCi7.exe, 00000000.00000002.1751145360.0000000002BE4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesAtlassing0 vs NhWAWEhCi7.exe
Source: NhWAWEhCi7.exe	Binary or memory string: OriginalFilenamesAtlassing0 vs NhWAWEhCi7.exe

Source: NhWAWEhCi7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1751429960.0000000002EED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1990395663.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.1990497088.0000000002C7C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: NhWAWEhCi7.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bbehcjh.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ionic.Zip.dll.9.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.9.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.9.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: GamePall.exe.9.dr, Program.cs

Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@308/113@0/7

Source: C:\Users\user\AppData\Local\Temp\setup.exe

9_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Code function: 9_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

9_2_00404897

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe

Code function: 0_2_02EF46EB CreateToolhelp32Snapshot,Module32First,

0_2_02EF46EB

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Code function: 9_2_00402173 CoCreateInstance,MultiByteToWideChar,

9_2_00402173

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\bbehcjh

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\9FC5.tmp

Jump to behavior

Source: NhWAWEhCi7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 9FC5.exe, 00000006.00000003.2128003261.00000000038FB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NhWAWEhCi7.exe	ReversingLabs: Detection: 60%
Source: NhWAWEhCi7.exe	Virustotal: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\NhWAWEhCi7.exe "C:\Users\user\Desktop\NhWAWEhCi7.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bbehcjh C:\Users\user\AppData\Roaming\bbehcjh
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9FC5.exe C:\Users\user\AppData\Local\Temp\9FC5.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\D57C.exe C:\Users\user\AppData\Local\Temp\D57C.exe
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3784 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013536112 --mojo-platform-channel-handle=4012 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013552940 --mojo-platform-channel-handle=4092 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9FC5.exe C:\Users\user\AppData\Local\Temp\9FC5.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\D57C.exe C:\Users\user\AppData\Local\Temp\D57C.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3784 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013536112 --mojo-platform-channel-handle=4012 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013552940 --mojo-platform-channel-handle=4092 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: omadmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iri.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Jump to behavior

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: NhWAWEhCi7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.9.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 0000000A.00000002.3684752300.0000000005492000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000A.00000000.3346816401.0000000000662000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000A.00000002.3684752300.0000000005492000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.9.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000009.00000002.3699086697.00000000006B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000009.00000002.3699086697.00000000006B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\libGLESv2.dll.pdb source: libGLESv2.dll0.9.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Unpacked PE file: 0.2.NhWAWEhCi7.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\bbehcjh	Unpacked PE file: 5.2.bbehcjh.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: Newtonsoft.Json.dll.9.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .vmpLp

Source: 9FC5.exe.1.dr	Static PE information: section name: .vmpLp
Source: 9FC5.exe.1.dr	Static PE information: section name: .vmpLp
Source: 9FC5.exe.1.dr	Static PE information: section name: .vmpLp
Source: libGLESv2.dll.9.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.9.dr	Static PE information: section name: .voltbl
Source: chrome_elf.dll.9.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.9.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.9.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.9.dr	Static PE information: section name: malloc_h
Source: libEGL.dll.9.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.9.dr	Static PE information: section name: .00cfg
Source: libcef.dll.9.dr	Static PE information: section name: .00cfg
Source: libcef.dll.9.dr	Static PE information: section name: .rodata
Source: libcef.dll.9.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.9.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00408616 push eax; retf 0000h	0_2_00408619
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00401CD1 push ecx; ret	0_2_00401CD2
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_004084E6 push FFFFFFFBh; iretd	0_2_004084FC
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00401C91 push 00000076h; iretd	0_2_00401C93
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_00402E96 push B92A2F4Ch; retf	0_2_00402E9B
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02E72EFD push B92A2F4Ch; retf	0_2_02E72F02
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02E71CF8 push 00000076h; iretd	0_2_02E71CFA
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02E7867D push eax; retf 0000h	0_2_02E78680
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02E7854D push FFFFFFFBh; iretd	0_2_02E78563
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02E71D38 push ecx; ret	0_2_02E71D39
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02EED7E4 push eax; retf	0_2_02EED7E5
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02EFC1BB push FFFFFFFBh; iretd	0_2_02EFC1D1
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02EFA13D push edx; ret	0_2_02EFA13E
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00408616 push eax; retf 0000h	5_2_00408619
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00401CD1 push ecx; ret	5_2_00401CD2
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_004084E6 push FFFFFFFBh; iretd	5_2_004084FC
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00401C91 push 00000076h; iretd	5_2_00401C93
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_00402E96 push B92A2F4Ch; retf	5_2_00402E9B
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C52EFD push B92A2F4Ch; retf	5_2_02C52F02
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C51CF8 push 00000076h; iretd	5_2_02C51CFA
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C5867D push eax; retf 0000h	5_2_02C58680
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C5854D push FFFFFFFBh; iretd	5_2_02C58563
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C51D38 push ecx; ret	5_2_02C51D39
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C8B0E3 push FFFFFFFBh; iretd	5_2_02C8B0F9
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C89065 push edx; ret	5_2_02C89066
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_053EF45F push dword ptr [esp+ecx*2-75h]; ret	10_2_053EF463
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_0622B6C7 push eax; ret	10_2_0622B6D5
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_0622A7A1 push CA40068Eh; iretd	10_2_0622A7A6
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_06220FCB pushfd ; iretd	10_2_06220FDB
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_06226D91 push esi; ret	10_2_06226D9B
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_0622BA68 pushfd ; iretd	10_2_0622BB25

Source: NhWAWEhCi7.exe	Static PE information: section name: .text entropy: 7.742934136238854
Source: bbehcjh.1.dr	Static PE information: section name: .text entropy: 7.742934136238854
Source: Ionic.Zip.dll.9.dr	Static PE information: section name: .text entropy: 6.821349263259562

Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	File created: C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	File created: C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsk862A.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9FC5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	File created: C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\bbehcjh	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D57C.exe	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\bbehcjh

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\nhwawehci7.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\bbehcjh:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\bbehcjh	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\bbehcjh	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: 826310
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: C37E15
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: C120B2
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: 928181
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: 874080
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: 93F069
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: 834E89
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	API/Special instruction interceptor: Address: 965B80

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 12A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 31A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 33D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 17B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4CF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 13F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 5140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 30F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 16D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 7F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 25F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 14A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 13E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4DE0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 481	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1092	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 958	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 361	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3592	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 864	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 884	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D57C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk862A.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file

Source: C:\Windows\explorer.exe TID: 7368	Thread sleep time: -109200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep time: -95800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7692	Thread sleep time: -30300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7688	Thread sleep time: -36100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7368	Thread sleep time: -359200s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe TID: 7732	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe TID: 7736	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 5920	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 7652	Thread sleep count: 35 > 30

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 9_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 9_2_004066FF FindFirstFileA,FindClose,	9_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 9_2_004027AA FindFirstFileA,	9_2_004027AA

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: explorer.exe, 00000001.00000000.1738123019.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: libGLESv2.dll0.9.dr	Binary or memory string: (IsLinux() && isVMWare) \|\| (IsAndroid() && isNvidia) \|\| (IsAndroid() && GetAndroidSdkLevel() < 27 && IsAdreno5xxOrOlder(functions)) \|\| (!isMesa && IsMaliT8xxOrOlder(functions)) \|\| (!isMesa && IsMaliG31OrOlder(functions))
Source: libGLESv2.dll0.9.dr	Binary or memory string: VMware
Source: explorer.exe, 00000001.00000000.1737455091.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1737455091.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1738123019.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1734040387.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1738123019.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: libGLESv2.dll0.9.dr	Binary or memory string: IIAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
Source: explorer.exe, 00000001.00000000.1737455091.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1737455091.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1737455091.000000000982D000.00000004.00000001.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2199759534.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2126935511.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000002.2229403299.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2199759534.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2126935511.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq=
Source: explorer.exe, 00000001.00000000.1738123019.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: GamePall.exe, 0000000A.00000002.3553411563.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: explorer.exe, 00000001.00000000.1735578881.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1737455091.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1734040387.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: GamePall.exe, 0000000E.00000002.3517987027.00000000011E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000001.00000000.1734040387.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\setup.exe

API call chain: ExitProcess graph end node

graph_9-3649

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02E70D90 mov eax, dword ptr fs:[00000030h]	0_2_02E70D90
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02E7092B mov eax, dword ptr fs:[00000030h]	0_2_02E7092B
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Code function: 0_2_02EF3FC8 push dword ptr fs:[00000030h]	0_2_02EF3FC8
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C50D90 mov eax, dword ptr fs:[00000030h]	5_2_02C50D90
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C5092B mov eax, dword ptr fs:[00000030h]	5_2_02C5092B
Source: C:\Users\user\AppData\Roaming\bbehcjh	Code function: 5_2_02C82EF0 push dword ptr fs:[00000030h]	5_2_02C82EF0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: bbehcjh.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.61.54.32 80	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Thread created: C:\Windows\explorer.exe EIP: 31719D0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Thread created: unknown EIP: 8C419D0			Jump to behavior

LummaC encrypted strings found

Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: towerxxuytwi.xyz
Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: swellfrrgwwos.xyz
Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: contintnetksows.shop
Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: 9FC5.exe, 00000006.00000002.2228307422.000000000040D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: potterryisiw.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\NhWAWEhCi7.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bbehcjh	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3784 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013536112 --mojo-platform-channel-handle=4012 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013552940 --mojo-platform-channel-handle=4092 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3784 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013536112 --mojo-platform-channel-handle=4012 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013552940 --mojo-platform-channel-handle=4092 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3784 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013536112 --mojo-platform-channel-handle=4012 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; cpu os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.5.1 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013552940 --mojo-platform-channel-handle=4092 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1	Jump to behavior

Source: explorer.exe, 00000001.00000000.1734345656.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1737455091.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1735394028.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1734345656.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1734040387.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1734345656.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1734345656.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\setup.exe

9_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 9FC5.exe, 00000006.00000003.2199759534.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2199874721.0000000001270000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206598925.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2199469445.000000000126F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000002.2229640977.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.00000000011CD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 9FC5.exe PID: 7716, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: 9FC5.exe, 00000006.00000002.2229611339.0000000001235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s/ElectronCash
Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 9FC5.exe, 00000006.00000003.2126892798.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: { "en": "cjelfplplebdjjenllpjcblmjkfcffne", "ez": "Jaxx Liberty" },
Source: 9FC5.exe, 00000006.00000003.2126892798.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: 9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: 9FC5.exe, 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 9FC5.exe, 00000006.00000003.2186202154.00000000011B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FC5.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1694

Source: Yara match	File source: 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9FC5.exe PID: 7716, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 9FC5.exe PID: 7716, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	22 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	115 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Windows Service	21 Obfuscated Files or Information	Security Account Manager	531 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	312 Process Injection	12 Software Packing	NTDS	241 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	241 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NhWAWEhCi7.exe	61%	ReversingLabs	Win32.Trojan.Operaloader
NhWAWEhCi7.exe	54%	Virustotal		Browse
NhWAWEhCi7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\D57C.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Temp\setup.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	100%	Avira	HEUR/AGEN.1352426
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Temp\9FC5.exe	100%	Avira	HEUR/AGEN.1313486
C:\Users\user\AppData\Roaming\bbehcjh	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GamePall\Del.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\9FC5.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	6%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	3%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\9FC5.exe	50%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\9FC5.exe	23%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\D57C.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\D57C.exe	9%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsk862A.tmp\liteFirewall.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk862A.tmp\liteFirewall.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\INetC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\INetC.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\blowfish.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\blowfish.dll	3%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\nsProcess.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\nsProcess.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\setup.exe	3%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\setup.exe	6%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\Del.exe	7%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Del.exe	11%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	11%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	3%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://cx5519.com/tmp/index.php	true
http://evilos.cc/tmp/index.php	true
ellaboratepwsz.xyz	true
swellfrrgwwos.xyz	true
foodypannyjsud.shop	true

URLs from Memory and Binaries

Name	Source	Malicious
https://anglebug.com/4674	libGLESv2.dll0.9.dr	false
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat	ca.pak.9.dr	false
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1735578881.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false
https://duckduckgo.com/chrome_newtab	9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck	libGLESv2.dll0.9.dr	false
http://api.install-stat.debug.world/clients/activity.0	GamePall.exe, 00000016.00000002.3863102483.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false
https://support.google.com/chrome/answer/6098869	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	false
https://www.google.com/chrome/privacy/eula_text.htmlP&al	lv.pak.9.dr	false
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1737455091.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false
http://anglebug.com/4633	libGLESv2.dll0.9.dr	false
https://anglebug.com/7382	libGLESv2.dll0.9.dr	false
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	false
https://issuetracker.google.com/284462263	libGLESv2.dll0.9.dr	false
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp	false
http://crbug.com/550292	libGLESv2.dll0.9.dr	false
https://chrome.google.com/webstore?hl=urCtrl$2	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	false
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://crbug.com/883276	libGLESv2.dll0.9.dr	false
https://foodypannyjsud.shop/api)	9FC5.exe, 00000006.00000002.2229611339.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.000000000122A000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227915980.0000000001234000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227718724.0000000001230000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/w5	9FC5.exe, 00000006.00000003.2185744877.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185906229.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp	false
https://crbug.com/1356053	libGLESv2.dll0.9.dr	false
https://photos.google.com/settings?referrer=CHROME_NTP	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	false
https://anglebug.com/7714	libGLESv2.dll0.9.dr	false
https://anglebug.com/5536	libGLESv2.dll0.9.dr	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/pii	9FC5.exe, 00000006.00000003.2126935511.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127132469.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	false
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	false
https://crbug.com/705865	libGLESv2.dll0.9.dr	false
http://crbug.com/110263	libGLESv2.dll0.9.dr	false
http://anglebug.com/6248	libGLESv2.dll0.9.dr	false
https://foodypannyjsud.shop:443/apiuY	9FC5.exe, 00000006.00000002.2229430748.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2199759534.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227498984.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	false
http://anglebug.com/6929	libGLESv2.dll0.9.dr	false
http://anglebug.com/5281	libGLESv2.dll0.9.dr	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	GamePall.exe, 0000000A.00000002.3555995225.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp	false
http://bageyou.xyz	GamePall.exe, 0000001D.00000002.3789631427.0000000003147000.00000004.00000800.00020000.00000000.sdmp	false
http://logging.apache.org/log4ne	GamePall.exe	false
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	false
https://issuetracker.google.com/255411748	libGLESv2.dll0.9.dr	false
https://foodypannyjsud.shop/apim	9FC5.exe, 00000006.00000003.2201140092.0000000001232000.00000004.00000020.00020000.00000000.sdmp	false
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1742888423.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false
https://anglebug.com/7246	libGLESv2.dll0.9.dr	false
https://anglebug.com/7369	libGLESv2.dll0.9.dr	false
https://anglebug.com/7489	libGLESv2.dll0.9.dr	false
https://chrome.google.com/webstore?hl=arCtrl$1	ar.pak.9.dr	false
https://crbug.com/593024	libGLESv2.dll0.9.dr	false
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
https://crbug.com/1137851	libGLESv2.dll0.9.dr	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1735578881.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	false
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	9FC5.exe, 00000006.00000003.2155866235.0000000001247000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/apib	9FC5.exe, 00000006.00000003.2185744877.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185906229.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.rootca1.amazontrust.com0:	9FC5.exe, 00000006.00000003.2154490258.0000000003911000.00000004.00000800.00020000.00000000.sdmp	false
https://issuetracker.google.com/161903006	libGLESv2.dll0.9.dr	false
https://www.google.com/chrome/privacy/eula_text.html&	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	false
http://anglebug.com/2152skipVSConstantRegisterZeroIn	libGLESv2.dll0.9.dr	false
https://crbug.com/1300575	libGLESv2.dll0.9.dr	false
https://www.google.com/chrome/privacy/eula_text.htmlT&r	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	9FC5.exe, 00000006.00000003.2128003261.0000000003928000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2127898971.000000000392A000.00000004.00000800.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2128226065.0000000003928000.00000004.00000800.00020000.00000000.sdmp	false
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://xiexie.wf/22_551/huge.dat	D57C.exe, 00000007.00000003.2212201510.0000000003090000.00000004.00001000.00020000.00000000.sdmp	false
https://crbug.com/710443	libGLESv2.dll0.9.dr	false
https://crbug.com/1042393	libGLESv2.dll0.9.dr	false
https://rouonixon.com/4/4284489/?ymid=831224434781065217&var=4284488&price=	GamePall.exe, 0000000A.00000002.3555995225.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	false
https://crbug.com/1060012	libGLESv2.dll0.9.dr	false
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://anglebug.com/3078	libGLESv2.dll0.9.dr	false
http://anglebug.com/7553	libGLESv2.dll0.9.dr	false
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3790750255.0000000005A80000.00000002.00000001.00040000.0000001F.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	false
http://anglebug.com/5375	libGLESv2.dll0.9.dr	false
http://anglebug.com/3246allowClearForRobustResourceInitSome	libGLESv2.dll0.9.dr	false
http://nsis.sf.net/NSIS_Error	setup.exe, setup.exe, 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, setup.exe, 00000009.00000003.3348136916.0000000000716000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000009.00000000.3053813392.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, Uninstall.exe.9.dr, D57C.exe.1.dr	false
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, tr.pak.9.dr	false
http://anglebug.com/5371	libGLESv2.dll0.9.dr	false
https://chrome.google.com/webstore?hl=ukCtrl$1	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
http://anglebug.com/3997	libGLESv2.dll0.9.dr	false
http://anglebug.com/4722	libGLESv2.dll0.9.dr	false
http://crbug.com/642605	libGLESv2.dll0.9.dr	false
http://anglebug.com/1452	libGLESv2.dll0.9.dr	false
http://anglebug.com/7556	libGLESv2.dll0.9.dr	false
https://support.google.com/chrome/a/answer/9122284	setup.exe, 00000009.00000002.3699342770.0000000002734000.00000004.00000020.00020000.00000000.sdmp, te.pak.9.dr, lv.pak.9.dr, ja.pak.9.dr, tr.pak.9.dr, bg.pak.9.dr, ar.pak.9.dr, ca.pak.9.dr	false
https://foodypannyjsud.shop/F9	9FC5.exe, 00000006.00000003.2227498984.000000000122A000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2227718724.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2206702267.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2201140092.0000000001232000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000002.2229430748.0000000001232000.00000004.00000020.00020000.00000000.sdmp	false
https://outlook.com_	explorer.exe, 00000001.00000000.1742888423.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	9FC5.exe, 00000006.00000003.2127629896.0000000003911000.00000004.00000800.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=caCtrl$1	ca.pak.9.dr	false
https://foodypannyjsud.shop/apiD	9FC5.exe, 00000006.00000003.2185744877.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2185906229.0000000001230000.00000004.00000020.00020000.00000000.sdmp, 9FC5.exe, 00000006.00000003.2186173434.0000000001231000.00000004.00000020.00020000.00000000.sdmp	false
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1735578881.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false
https://crbug.com/650547callClearTwiceUsing	libGLESv2.dll0.9.dr	false
https://chrome.google.com/webstore?hl=teCtrl$1	te.pak.9.dr	false
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	GamePall.exe, GamePall.exe, 00000013.00000002.3452823572.00000000058D2000.00000002.00000001.01000000.00000010.sdmp, GamePall.exe, 00000013.00000002.3456616620.0000000005916000.00000002.00000001.01000000.00000010.sdmp	false
http://crbug.com/1420130	libGLESv2.dll0.9.dr	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
139.45.197.238	unknown	Netherlands	9002	RETN-ASEU	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	true
141.8.192.6	unknown	Russian Federation	35278	SPRINTHOSTRU	true
189.61.54.32	unknown	Brazil	28573	CLAROSABR	true
172.67.221.174	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.127

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465150
Start date and time:	2024-07-01 11:40:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 17m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	NhWAWEhCi7.exe renamed because original name is a hash value
Original Sample Name:	1409b5a7ac2a6be45fa954730b058da4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@308/113@0/7
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 81% Number of executed functions: 466 Number of non-executed functions: 36
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target 9FC5.exe, PID 7716 because there are no executed function
Execution Graph export aborted for target GamePall.exe, PID 2112 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 3872 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 5768 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 6552 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 6576 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 7124 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
05:41:22	API Interceptor	308695x Sleep call for process: explorer.exe modified
05:41:42	API Interceptor	9x Sleep call for process: 9FC5.exe modified
05:43:49	API Interceptor	1x Sleep call for process: GamePall.exe modified
10:41:23	Task Scheduler	Run new task: Firefox Default Browser Agent DDEC01FD4DE6D3DB path: C:\Users\user\AppData\Roaming\bbehcjh
10:43:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
10:44:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
139.45.197.238	http://rndskittytor.com	Get hash	malicious	Unknown	Browse	rndskittytor.com/favicon.ico
	http://whairtoa.com:443	Get hash	malicious	Unknown	Browse	whairtoa.com:443/
	http://deloplen.com/apu.php?zoneid=695986	Get hash	malicious	Unknown	Browse	deloplen.com/apu.php?zoneid=695986
	http://www.footybite.tv/watch/sports-hd1.htm	Get hash	malicious	Unknown	Browse	cdrvrs.com/tag.min.js
	http://soaheeme.net	Get hash	malicious	Unknown	Browse	soaheeme.net/favicon.ico
	http://soaheeme.net	Get hash	malicious	Unknown	Browse	soaheeme.net/favicon.ico
	http://glaurtas.com	Get hash	malicious	Unknown	Browse	glaurtas.com/favicon.ico
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://johnlewisfr.com	Get hash	malicious	Unknown	Browse	104.26.13.204
	call_Playback_moog.com.html	Get hash	malicious	HTMLPhisher	Browse	172.67.216.215
	https://singlecity.it/test/E/1.htm	Get hash	malicious	Unknown	Browse	104.18.10.207
	SecuriteInfo.com.Exploit.ShellCode.69.26008.28945.rtf	Get hash	malicious	Remcos	Browse	188.114.96.3
	lowkey_spoofer_cracked_fixed_by_nemesis_team.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, Havoc, MicroClip, PySilon Stealer	Browse	162.159.136.232
	https://bpecuniaimmobili.com/J0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MzY/	Get hash	malicious	Unknown	Browse	104.21.57.22
	Electronic Slip_ball.com.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	AAMwAy8pB7.elf	Get hash	malicious	Mirai, Moobot	Browse	1.2.49.70
	https://yagyatech.com/netpaymem	Get hash	malicious	Unknown	Browse	104.19.177.52
	mkFOY01Gl5.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
RETN-ASEU	https://rapepush.net/iwant?3.1.525	Get hash	malicious	Unknown	Browse	139.45.197.253
	http://thampolsi.com/5/7616590	Get hash	malicious	Unknown	Browse	139.45.197.236
	http://progressivewebappsdev.com	Get hash	malicious	Unknown	Browse	45.143.94.2
	http://www.qualityentertainment.ca/	Get hash	malicious	Unknown	Browse	45.143.94.2
	http://psaugourtauy.com	Get hash	malicious	Unknown	Browse	139.45.197.160
	http://bouhoagy.net/pfe/current/micro.tag.min.js	Get hash	malicious	Unknown	Browse	139.45.197.250
	https://dibsemey.com	Get hash	malicious	Unknown	Browse	139.45.197.250
	https://disk.yandex.ru/d/ArN8zL4WbJeexQ	Get hash	malicious	Panda Stealer	Browse	109.94.208.20
	https://www3.animeflv.net/	Get hash	malicious	Unknown	Browse	139.45.195.5
	https://deehatoa.net/4/6495813	Get hash	malicious	Unknown	Browse	139.45.197.236

Process:	C:\Users\user\AppData\Local\Temp\D57C.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107232830
Entropy (8bit):	7.999946456161068
Encrypted:	true
SSDEEP:	1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
MD5:	FF2293FBFF53F4BD2BFF91780FABFD60
SHA1:	61A9EDCF46228DC907AD523AA6FD035CC26C9209
SHA-256:	B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
SHA-512:	C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 6%, Browse Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9FC5.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6642176
Entropy (8bit):	7.866419732571782
Encrypted:	false
SSDEEP:	98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
MD5:	BD2EAC64CBDED877608468D86786594A
SHA1:	778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
SHA-256:	CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
SHA-512:	3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 23%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D57C.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	modified
Size (bytes):	293869
Entropy (8bit):	5.61569579822855
Encrypted:	false
SSDEEP:	3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
MD5:	60172CA946DE57C3529E9F05CC502870
SHA1:	DE8F59D6973A5811BB10A9A4410801FA63BC8B56
SHA-256:	42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
SHA-512:	15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 9%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk862A.tmp\liteFirewall.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.389604568119155
Encrypted:	false
SSDEEP:	1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
MD5:	165E1EF5C79475E8C33D19A870E672D4
SHA1:	965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
SHA-256:	9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
SHA-512:	CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\INetC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\D57C.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.668346578219837
Encrypted:	false
SSDEEP:	384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
MD5:	92EC4DD8C0DDD8C4305AE1684AB65FB0
SHA1:	D850013D582A62E502942F0DD282CC0C29C4310E
SHA-256:	5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
SHA-512:	581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\blowfish.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\D57C.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	6.674611218414922
Encrypted:	false
SSDEEP:	384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
MD5:	5AFD4A9B7E69E7C6E312B2CE4040394A
SHA1:	FBD07ADB3F02F866DC3A327A86B0F319D4A94502
SHA-256:	053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
SHA-512:	F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....\|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\nsProcess.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\D57C.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.666004851298707
Encrypted:	false
SSDEEP:	48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
MD5:	FAA7F034B38E729A983965C04CC70FC1
SHA1:	DF8BDA55B498976EA47D25D8A77539B049DAB55E
SHA-256:	579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
SHA-512:	7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n\|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..\|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw1781.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	358363995
Entropy (8bit):	6.972150585647623
Encrypted:	false
SSDEEP:	3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
MD5:	5F9D89B40243E83C0B48206CE4EB77D1
SHA1:	477A019AB11E5793168B3E41D83B80A8AC8F1D43
SHA-256:	2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
SHA-512:	5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
Malicious:	false
Reputation:	unknown
Preview:	........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\D57C.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107232830
Entropy (8bit):	7.999946456161068
Encrypted:	true
SSDEEP:	1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
MD5:	FF2293FBFF53F4BD2BFF91780FABFD60
SHA1:	61A9EDCF46228DC907AD523AA6FD035CC26C9209
SHA-256:	B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
SHA-512:	C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 6%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Reputation:	unknown
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	modified
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl7:Ls3
MD5:	7E7045848BA66C51F147714BC9EB3632
SHA1:	65D7AC71574D1AB8346AFF6BA80070E22041D2AB
SHA-256:	8F695CF8036DEEB6DE0EF647C983C47FAAB893DA94B2C9DB5A2F7BCFB563339E
SHA-512:	F1B76BA5B758A4CE2E12624D0F35087A174C31FA93EF552B6237A388B99A9C48A64E167F1F91059880A2B3642B0C51A7FEA83EF59AD6A93180255F193AD5908E
Malicious:	false
Reputation:	unknown
Preview:	.............................................z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\Del.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.622398838808078
Encrypted:	false
SSDEEP:	96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
MD5:	97D4D47D539CB8171BE2AEFD64C6EBB1
SHA1:	44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
SHA-256:	8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
SHA-512:	7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7% Antivirus: Virustotal, Detection: 11%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....(........0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#......0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Reputation:	unknown
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlXp:Ls3
MD5:	82054CA07AE05D0553EC608714BD8985
SHA1:	3420F2C305A6E1820131039F4D1752A35A96A056
SHA-256:	3B698FB3CDC39E88B5EEB7DAAFE9CAEED347B8BFC898F84E5E8180A2FAABD8D1
SHA-512:	33FF67182CC42E6CDDC33B193EBD19F718A81D8356D0DD5BB3101F4FDCE244B903C09E229D465F5F33D988E2FC5FA68F6F9257C8C53B975631A28200E25BCF09
Malicious:	false
Reputation:	unknown
Preview:	.........................................s...z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	296448
Entropy (8bit):	5.660420770467009
Encrypted:	false
SSDEEP:	3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
MD5:	7A3502C1119795D35569535DE243B6FE
SHA1:	DA0D16BC66614C7D273C47F321C5EE0652FB5575
SHA-256:	B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
SHA-512:	258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 11%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....Z..(....,...(....(.....(......(......(............~........0..W.......(....".....(......,..o....-...o.....+...( .....o....&..(!...-...........o"....."...BZ.......%..A.......0..Q.......(....(........,..o....-...o.....+...( .....o....&.._...(!...-...........o"..............!. A.......0..V.......(....(......,..o....-.~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	462336
Entropy (8bit):	6.803831500359682
Encrypted:	false
SSDEEP:	6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
MD5:	6DED8FCBF5F1D9E422B327CA51625E24
SHA1:	8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
SHA-256:	3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
SHA-512:	BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(.......0..2........r...p(....}.......}"....(........(.........(......r...p(....}.......}"....(........(......0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...rr!..p.{.....{.....B...(....*..0..A........{..

C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574376
Entropy (8bit):	5.8881470355864725
Encrypted:	false
SSDEEP:	12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
MD5:	8F81C9520104B730C25D90A9DD511148
SHA1:	7CF46CB81C3B51965C1F78762840EB5797594778
SHA-256:	F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
SHA-512:	B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D.....{F.......-.....0...........-.r...ps....z.o......-.~.....~....X...+....b..

C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561424
Entropy (8bit):	4.606896607960262
Encrypted:	false
SSDEEP:	6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
MD5:	928ED37DB61C1E98A2831C8C01F6157C
SHA1:	98103C2133EBDA28BE78BFE3E2D81D41924A23EE
SHA-256:	39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
SHA-512:	F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	215862
Entropy (8bit):	5.849338245796311
Encrypted:	false
SSDEEP:	3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
MD5:	9D21A25AA1B5985A2C8CBCE7F7007295
SHA1:	86EBF56352B4DBB831FAE0CCA180B4ADD951240D
SHA-256:	E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
SHA-512:	EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.621956468920589
Encrypted:	false
SSDEEP:	12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
MD5:	B03C7F6072A0CB1A1D6A92EE7B82705A
SHA1:	6675839C5E266075E7E1812AD8E856A2468274DD
SHA-256:	F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
SHA-512:	19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(......(......(....^.(.......=...%...}....:.(......}....:.(......}....^.(.......>...%...}....:.(......}.....(.............0..,.......(....o.......3......... ....3.(....-.....0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..("..............+1...........4.......~.....~......(.....~....,..(#...-.(....-..(....+.r...ps$...z(..........b.r...p(%...~.....(....&*.r

C:\Users\user\AppData\Roaming\GamePall\cef.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1946739
Entropy (8bit):	7.989700491058983
Encrypted:	false
SSDEEP:	49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
MD5:	96AD47D78A70B33158961585D9154ECC
SHA1:	149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
SHA-256:	C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
SHA-512:	6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
Malicious:	false
Reputation:	unknown
Preview:	........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)\|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....)..........F....]....3....v........v...................$... ....!8..."....#....$....%*..

C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	214119
Entropy (8bit):	7.955451054538398
Encrypted:	false
SSDEEP:	6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
MD5:	391F512173ECEC14EB5CE31299858DE1
SHA1:	3A5A41A190C1FB682F9D9C84F500FF50308617FC
SHA-256:	E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
SHA-512:	44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
Malicious:	false
Reputation:	unknown
Preview:	........................#.b...&.....:.g....7.....7.....7.....7\|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.\|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U\|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	290001
Entropy (8bit):	7.9670215100557735
Encrypted:	false
SSDEEP:	6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
MD5:	BF59A047984EAFC79E40B0011ED4116D
SHA1:	DF747125F31F3FF7E3DFE5849F701C3483B32C5E
SHA-256:	CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
SHA-512:	85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
Malicious:	false
Reputation:	unknown
Preview:	........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.\|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF\|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N....N.+...Nv,...N.-...N;r...N.\|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1305142
Entropy (8bit):	7.99463351416358
Encrypted:	true
SSDEEP:	24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
MD5:	20DDA02AF522924E45223D7262D0E1ED
SHA1:	378E88033A7083AAC24E6CD2144F7BC706F00837
SHA-256:	8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
SHA-512:	E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
Malicious:	false
Reputation:	unknown
Preview:	........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..\|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	87182312
Entropy (8bit):	5.477474753748716
Encrypted:	false
SSDEEP:	196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
MD5:	FFD456A85E341D430AFA0C07C1068538
SHA1:	59394310B45F7B2B2882D55ADD9310C692C7144F
SHA-256:	F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
SHA-512:	EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
Malicious:	false
Reputation:	unknown
Preview:	!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	656926
Entropy (8bit):	7.964275415195004
Encrypted:	false
SSDEEP:	12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
MD5:	3404DD2B0E63D9418F755430336C7164
SHA1:	0D7D8540FDC056BB741D9BAF2DC7A931C517C471
SHA-256:	0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
SHA-512:	685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
Malicious:	false
Reputation:	unknown
Preview:	..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.\|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<\|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1017158
Entropy (8bit):	7.951759131641406
Encrypted:	false
SSDEEP:	24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
MD5:	3FBF52922588A52245DC927BCC36DBB3
SHA1:	EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
SHA-256:	C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
SHA-512:	682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
Malicious:	false
Reputation:	unknown
Preview:	..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@\|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1174528
Entropy (8bit):	6.475826085865088
Encrypted:	false
SSDEEP:	24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
MD5:	207AC4BE98A6A5A72BE027E0A9904462
SHA1:	D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
SHA-256:	2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
SHA-512:	BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2106216
Entropy (8bit):	6.4563314852745375
Encrypted:	false
SSDEEP:	49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
MD5:	1C9B45E87528B8BB8CFA884EA0099A85
SHA1:	98BE17E1D324790A5B206E1EA1CC4E64FBE21240
SHA-256:	2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
SHA-512:	B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4127200
Entropy (8bit):	6.577665867424953
Encrypted:	false
SSDEEP:	49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
MD5:	3B4647BCB9FEB591C2C05D1A606ED988
SHA1:	B42C59F96FB069FD49009DFD94550A7764E6C97C
SHA-256:	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
SHA-512:	00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2205743
Entropy (8bit):	7.923318114432295
Encrypted:	false
SSDEEP:	49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
MD5:	54D4E14BFF05C268248CAB2EEDFB61DD
SHA1:	33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
SHA-256:	2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
SHA-512:	5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
Malicious:	false
Reputation:	unknown
Preview:	........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[....[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\...>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Reputation:	unknown
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	377856
Entropy (8bit):	6.602916265542373
Encrypted:	false
SSDEEP:
MD5:	8BC03B20348D4FEBE6AEDAA32AFBBF47
SHA1:	B1843C83808D9C8FBA32181CD3A033C66648C685
SHA-256:	CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
SHA-512:	3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............\|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6635008
Entropy (8bit):	6.832077162910607
Encrypted:	false
SSDEEP:
MD5:	63988D35D7AB96823B5403BE3C110F7F
SHA1:	8CC4D3F4D2F1A2285535706961A26D02595AF55C
SHA-256:	E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
SHA-512:	D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libcef.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176517632
Entropy (8bit):	7.025874989859836
Encrypted:	false
SSDEEP:
MD5:	F5259CC7721CA2BCC8AC97B76B1D3C7A
SHA1:	C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
SHA-256:	3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
SHA-512:	2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.\|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..\|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libcef.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	40258
Entropy (8bit):	4.547436244061504
Encrypted:	false
SSDEEP:
MD5:	310744A0E10BD9C2C6F50C525E4447F9
SHA1:	9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
SHA-256:	E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
SHA-512:	6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
Malicious:	false
Reputation:	unknown
Preview:	!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N\|..N\|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h..h..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	470498
Entropy (8bit):	5.409080468053459
Encrypted:	false
SSDEEP:
MD5:	64F46DC20A140F2FA3D4677E7CD85DD1
SHA1:	5A4102E3E34C1360F833507A48E61DFD31707377
SHA-256:	BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
SHA-512:	F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
Malicious:	false
Reputation:	unknown
Preview:	........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.\|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	763010
Entropy (8bit):	4.909167677028143
Encrypted:	false
SSDEEP:
MD5:	3B0D0F3EC195A0796A6E2FAB0C282BFB
SHA1:	6FCFCD102DE06A0095584A0186BD307AA49E49BD
SHA-256:	F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
SHA-512:	CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
Malicious:	false
Reputation:	unknown
Preview:	........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...\|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....\|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....\|...........$.............................1.....}.........................................Z.................\|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2....................+....",.....,

C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	838413
Entropy (8bit):	4.920788245468804
Encrypted:	false
SSDEEP:
MD5:	C70B71B05A8CA5B8243C951B96D67453
SHA1:	DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
SHA-256:	5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
SHA-512:	E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.\|...w.....y.....z.....\|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).........z..............t+.....,....{,.....,....--

C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	869469
Entropy (8bit):	4.677916300869337
Encrypted:	false
SSDEEP:
MD5:	12A9400F521EC1D3975257B2061F5790
SHA1:	100EA691E0C53B240C72EAEC15C84A686E808067
SHA-256:	B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
SHA-512:	31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
Malicious:	false
Reputation:	unknown
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1118348
Entropy (8bit):	4.2989199535081895
Encrypted:	false
SSDEEP:
MD5:	89A24AF99D5592AB8964B701F13E1706
SHA1:	2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
SHA-256:	5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
SHA-512:	60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
Malicious:	false
Reputation:	unknown
Preview:	........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).........6.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537139
Entropy (8bit):	5.397688491907634
Encrypted:	false
SSDEEP:
MD5:	37B54705BD9620E69E7E9305CDFAC7AB
SHA1:	D9059289D5A4CAB287F1F877470605ED6BBDA2C8
SHA-256:	98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
SHA-512:	42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
Malicious:	false
Reputation:	unknown
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....\|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................\|...........".....>.

C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	545011
Entropy (8bit):	5.844949195905198
Encrypted:	false
SSDEEP:
MD5:	65A2C2A73232AB1073E44E0FB6310A5F
SHA1:	F3158AA527538819C93F57E2C778198A94416C98
SHA-256:	E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
SHA-512:	20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................\|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	496165
Entropy (8bit):	5.446061543230436
Encrypted:	false
SSDEEP:
MD5:	A44EC6AAA456A6129FD820CA75E968BE
SHA1:	9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
SHA-256:	F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
SHA-512:	947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
Malicious:	false
Reputation:	unknown
Preview:	........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}."........../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q..................................q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	534726
Entropy (8bit):	5.49306456316532
Encrypted:	false
SSDEEP:
MD5:	49CA708EBB7A4913C36F7461F094886B
SHA1:	13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
SHA-256:	8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
SHA-512:	6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...\|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	950999
Entropy (8bit):	4.76377388695373
Encrypted:	false
SSDEEP:
MD5:	9CBC320E39CFF7C29F61BD367C0BF3BB
SHA1:	2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
SHA-256:	E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
SHA-512:	F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
Malicious:	false
Reputation:	unknown
Preview:	........)$..e.H...h.P...i.X...j.b...k.q...l.\|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....\|&.....&.....'.....'....;(....t(.....(....M).....)....;....h....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	430665
Entropy (8bit):	5.517246002357965
Encrypted:	false
SSDEEP:
MD5:	0F1E2BC597771A8DB11D1D3AC59B84F3
SHA1:	C1F782C550AC733852C6BED9AD62AB79FC004049
SHA-256:	E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
SHA-512:	07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
Malicious:	false
Reputation:	unknown
Preview:	.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[............................V.....a................l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	434598
Entropy (8bit):	5.509004494756697
Encrypted:	false
SSDEEP:
MD5:	FEAB603B4C7520CCFA84D48B243B1EC0
SHA1:	E04138F1C2928D8EECE6037025B4DA2995F13CB4
SHA-256:	C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
SHA-512:	E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...\|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	524728
Entropy (8bit):	5.377464936206393
Encrypted:	false
SSDEEP:
MD5:	32A59B6D9C8CA99FBD77CAA2F586509A
SHA1:	7E8356D940D4D4CC2E673460483656915AA59893
SHA-256:	AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
SHA-512:	860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....\|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	523181
Entropy (8bit):	5.356449408331279
Encrypted:	false
SSDEEP:
MD5:	3D1720FE1D801D54420438A54CBE1547
SHA1:	8B1B0735AE0E473858C59C54111697609831D65A
SHA-256:	AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
SHA-512:	C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.p...j.\|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....\|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z................f.....{...........o.................g...........+.....P.................8.....N.................".....1......................@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	475733
Entropy (8bit):	5.456553040437113
Encrypted:	false
SSDEEP:
MD5:	C00D66D3FD4FD9D777949E2F115F11FB
SHA1:	A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
SHA-256:	26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
SHA-512:	E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
Malicious:	false
Reputation:	unknown
Preview:	........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...\|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	773397
Entropy (8bit):	5.04618630633187
Encrypted:	false
SSDEEP:
MD5:	C998140F7970B81117B073A87430A748
SHA1:	8A6662C3AABDAC68083A4D00862205689008110C
SHA-256:	182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
SHA-512:	5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...\|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....\|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M....p.....*....n+.....+.....+....d,.....-....P-....x-

C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	483378
Entropy (8bit):	5.428549632880935
Encrypted:	false
SSDEEP:
MD5:	1CFD31A6B740D95E4D5D53432743EBF1
SHA1:	20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
SHA-256:	F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
SHA-512:	C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...\|.b...}.t.....\|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	546749
Entropy (8bit):	5.197094281578282
Encrypted:	false
SSDEEP:
MD5:	6EDA0CD3C7D513AAB9856EC504C7D16F
SHA1:	BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
SHA-256:	3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
SHA-512:	47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....\|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	568277
Entropy (8bit):	5.380723339968972
Encrypted:	false
SSDEEP:
MD5:	D185162DF4CAC9DCE7D70926099D1CF1
SHA1:	46594ADB3FC06A090675CA48FFA943E299874BBD
SHA-256:	E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
SHA-512:	987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
Malicious:	false
Reputation:	unknown
Preview:	.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1103776
Entropy (8bit):	4.336526106451521
Encrypted:	false
SSDEEP:
MD5:	44F704DB17F0203FA5195DC4572C946C
SHA1:	205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
SHA-256:	4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
SHA-512:	3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
Malicious:	false
Reputation:	unknown
Preview:	........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...\|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....\|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....\|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....\|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....\|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	681555
Entropy (8bit):	4.658620623200349
Encrypted:	false
SSDEEP:
MD5:	E75086A24ECAA25CD18D547AB041C65A
SHA1:	C88CE46E6321E4A21032308DFD72C272FB267DBD
SHA-256:	55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
SHA-512:	01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....\|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1167065
Entropy (8bit):	4.308980564019689
Encrypted:	false
SSDEEP:
MD5:	1FF8A0B82218A956D2701A5E4BFA84EF
SHA1:	56BB8218963E14ADCC435F2455891F3A0453D053
SHA-256:	62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
SHA-512:	3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y..........}...........;........................................[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6..........*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	526575
Entropy (8bit):	5.518614920030561
Encrypted:	false
SSDEEP:
MD5:	0BD2F9847C151F9A6FC0D59A0074770C
SHA1:	EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
SHA-256:	5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
SHA-512:	0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
Malicious:	false
Reputation:	unknown
Preview:	........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...\|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	566819
Entropy (8bit):	5.6387082185760935
Encrypted:	false
SSDEEP:
MD5:	4C27A1C79AB9A058C0A7DFFD22134AFD
SHA1:	5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
SHA-256:	AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
SHA-512:	0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.............................................".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	466959
Entropy (8bit):	5.379636778781472
Encrypted:	false
SSDEEP:
MD5:	1466C484179769A2263542E943742E59
SHA1:	18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
SHA-256:	C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
SHA-512:	ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
Malicious:	false
Reputation:	unknown
Preview:	........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....\|.......................C.....b.....r...........1.....h.

C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	522800
Entropy (8bit):	5.284113957149261
Encrypted:	false
SSDEEP:
MD5:	7767A70358D0AE6D408FF979DF9B2CD4
SHA1:	9C57A5B068DC12AAF1591778DEF5D3696377EDAB
SHA-256:	672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
SHA-512:	913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
Malicious:	false
Reputation:	unknown
Preview:	........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2..................................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x..............................................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	634636
Entropy (8bit):	5.718480148171718
Encrypted:	false
SSDEEP:
MD5:	4A4AF69546DCF65F2D722A574E221BEA
SHA1:	EE51613F111CF5B06F5605B629952EFFE0350870
SHA-256:	7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
SHA-512:	0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
Malicious:	false
Reputation:	unknown
Preview:	........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...\|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U................d.....z....."................?...........X.................`.................@.................g............ ..... ..... .....

C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1256908
Entropy (8bit):	4.247594585839553
Encrypted:	false
SSDEEP:
MD5:	6A41A5AB03A22BDAEC7985B9A75EC11A
SHA1:	6BB02DF557BD6522E02FE026C0243BEB9332B2E5
SHA-256:	E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
SHA-512:	BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
Malicious:	false
Reputation:	unknown
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[......................................................................u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N...............,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532715
Entropy (8bit):	6.0824169765918725
Encrypted:	false
SSDEEP:
MD5:	5FD9942F57FFC499481947DB0C3FDFA7
SHA1:	4D60AB21305902877467FF6151C1B7AB12553AAE
SHA-256:	09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
SHA-512:	97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
Malicious:	false
Reputation:	unknown
Preview:	........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...\|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	573015
Entropy (8bit):	5.63016577624216
Encrypted:	false
SSDEEP:
MD5:	8745B87D09D9ECC1112C60F5DD934034
SHA1:	2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
SHA-256:	D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
SHA-512:	27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
Malicious:	false
Reputation:	unknown
Preview:	........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	570683
Entropy (8bit):	5.624052036286866
Encrypted:	false
SSDEEP:
MD5:	E16B0B814074ACBD3A72AF677AC7BE84
SHA1:	10744490B3E40BEB939B3FDCA411075A85A34794
SHA-256:	46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
SHA-512:	70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
Malicious:	false
Reputation:	unknown
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................\|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1307271
Entropy (8bit):	4.279854356980692
Encrypted:	false
SSDEEP:
MD5:	309E068B4E15157486D095301370B234
SHA1:	D962CDAF9361767045A928966F4323EAD22D9B37
SHA-256:	4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
SHA-512:	6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
Malicious:	false
Reputation:	unknown
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...\|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................\|............ ..... .....!.....!....".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....)..........*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....\|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1075591
Entropy (8bit):	4.313573412022857
Encrypted:	false
SSDEEP:
MD5:	69C36C23D6D9841F4362FF3A0F86CFDF
SHA1:	C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
SHA-256:	6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
SHA-512:	8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).........y.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	489457
Entropy (8bit):	5.250540323172458
Encrypted:	false
SSDEEP:
MD5:	A1253E64F8910162B15B56883798E3C0
SHA1:	68D402D94D2145704DC3760914BF616CC71FC65D
SHA-256:	E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
SHA-512:	ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
Malicious:	false
Reputation:	unknown
Preview:	........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...\|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	476208
Entropy (8bit):	5.4272499712806965
Encrypted:	false
SSDEEP:
MD5:	622ED80836E0EF3F949ED8A379CBE6DF
SHA1:	9A94CD80E747B88582470EF49B7337B9E5DE6C28
SHA-256:	560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
SHA-512:	950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
Malicious:	false
Reputation:	unknown
Preview:	........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....\|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	491139
Entropy (8bit):	5.362822162782947
Encrypted:	false
SSDEEP:
MD5:	C8378A81039DB6943F97286CC8C629F1
SHA1:	758D9AB331C394709F097361612C6D44BDE4E8FE
SHA-256:	318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
SHA-512:	6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
Malicious:	false
Reputation:	unknown
Preview:	.........$..e....h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................#..........1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................\|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	550453
Entropy (8bit):	5.757462673735937
Encrypted:	false
SSDEEP:
MD5:	80C5893068C1D6CE9AEF23525ECAD83C
SHA1:	A2A7ADEE70503771483A2500786BF0D707B3DF6B
SHA-256:	0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
SHA-512:	3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
Malicious:	false
Reputation:	unknown
Preview:	........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	516256
Entropy (8bit):	5.426294949123783
Encrypted:	false
SSDEEP:
MD5:	3BA426E91C34E1C33F13912974835F7D
SHA1:	467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
SHA-256:	CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
SHA-512:	824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
Malicious:	false
Reputation:	unknown
Preview:	........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...\|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	518861
Entropy (8bit):	5.4029194034596575
Encrypted:	false
SSDEEP:
MD5:	4D7D724BE592BD0280ED28388EAA8D43
SHA1:	8E3C46B77639EB480A90AD27383FBB14C4176960
SHA-256:	4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
SHA-512:	D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
Malicious:	false
Reputation:	unknown
Preview:	........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...\|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....\|...........J.......

C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537125
Entropy (8bit):	5.4566742297332596
Encrypted:	false
SSDEEP:
MD5:	4F1C0A8632218F6FEF6BAB0917BEB84F
SHA1:	05E497C8525CB1ADE6A0DAEFE09370EC45176E35
SHA-256:	9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
SHA-512:	A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
Malicious:	false
Reputation:	unknown
Preview:	........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	878725
Entropy (8bit):	4.848685093578222
Encrypted:	false
SSDEEP:
MD5:	3A3D0D865A78399306924D3ED058274E
SHA1:	AA1A42DB6021666B2297A65094D29978792CE29B
SHA-256:	EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
SHA-512:	ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
Malicious:	false
Reputation:	unknown
Preview:	.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....\|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]..........+....$+.....+.....,.....-

C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	553886
Entropy (8bit):	5.812150703289796
Encrypted:	false
SSDEEP:
MD5:	A9656846F66A36BB399B65F7B702B47D
SHA1:	4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
SHA-256:	02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
SHA-512:	7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.\|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....\|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532410
Entropy (8bit):	5.486224954097277
Encrypted:	false
SSDEEP:
MD5:	BE49BB186EF62F55E27FF6B5FD5933F4
SHA1:	84CFD05C52A09B4E6FA62ADCAF71585538CF688E
SHA-256:	833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
SHA-512:	1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....\|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	818089
Entropy (8bit):	4.779985663253385
Encrypted:	false
SSDEEP:
MD5:	AFA2DFBA3BD71FE0307BFFB647CDCD98
SHA1:	CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
SHA-256:	1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
SHA-512:	CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
Malicious:	false
Reputation:	unknown
Preview:	........=$\|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...\|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........\|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	479512
Entropy (8bit):	5.541069475898216
Encrypted:	false
SSDEEP:
MD5:	09592A0D35100CD9707C278C9FFC7618
SHA1:	B23EEF11D7521721A7D6742202209E4FE0539566
SHA-256:	9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
SHA-512:	E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.\|...t.....v.....w.....y.....z.....\|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................\|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	504856
Entropy (8bit):	5.34516819438501
Encrypted:	false
SSDEEP:
MD5:	9E038A0D222055FED6F1883992DCA5A8
SHA1:	8FA17648492D7F093F89E8E98BF29C3725E3B4B5
SHA-256:	DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
SHA-512:	FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
Malicious:	false
Reputation:	unknown
Preview:	........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1298313
Entropy (8bit):	4.058495187693592
Encrypted:	false
SSDEEP:
MD5:	36104CB0D5E26E0BBB313E529C14F4B4
SHA1:	69A509DEE8419DA719DCF6DE78BFE0A6737508C5
SHA-256:	DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
SHA-512:	D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4..........*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1199612
Entropy (8bit):	4.314031920337284
Encrypted:	false
SSDEEP:
MD5:	98714389748A98ECC536CD2F17859BDF
SHA1:	07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
SHA-256:	8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
SHA-512:	38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
Malicious:	false
Reputation:	unknown
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...\|.]...}.o.....w.....\|.......................................................................X...........J...........\|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....$....k$.....%.....&....6'.....'.....(.....)........._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1008989
Entropy (8bit):	4.356501290091745
Encrypted:	false
SSDEEP:
MD5:	56F29DE3465795E781A52FCF736BBE08
SHA1:	EAA406E5ED938468760A29D18C8C3F16CF142472
SHA-256:	529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
SHA-512:	519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
Malicious:	false
Reputation:	unknown
Preview:	........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...\|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....\|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....)...............+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	515329
Entropy (8bit):	5.616482888977033
Encrypted:	false
SSDEEP:
MD5:	46CA9EE922C3C175DE466066F40B29CE
SHA1:	5563E236A15CD9CC44AE859165DF1E4E722936C7
SHA-256:	BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
SHA-512:	45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
Malicious:	false
Reputation:	unknown
Preview:	........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...\|.\|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	876131
Entropy (8bit):	4.88404350774067
Encrypted:	false
SSDEEP:
MD5:	1365ABDD1EFB44720EA3975E4A472530
SHA1:	8421FC4905C592EB1269C5D524AA46866D617D3C
SHA-256:	29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
SHA-512:	2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...\|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........\|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	765853
Entropy (8bit):	5.17061834928747
Encrypted:	false
SSDEEP:
MD5:	3FED15E64BEAFBA75DE61B08A45AE106
SHA1:	E24953271D8C0254AD011D3A65B2C2FA57903681
SHA-256:	B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
SHA-512:	3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
Malicious:	false
Reputation:	unknown
Preview:	........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....\|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s............................p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3..............]+.....+.....,....F,.....,....z-.....-

C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	609259
Entropy (8bit):	5.796202390024141
Encrypted:	false
SSDEEP:
MD5:	CD741C24AF7597E0DC11069D3AC324E0
SHA1:	2A883DFBCF48D5093D70D4B77BBFFFA521287334
SHA-256:	13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
SHA-512:	6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r....s.;...t.D...v.Y...w.f...y.l...z.{...\|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._..................................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	441207
Entropy (8bit):	6.685712707138377
Encrypted:	false
SSDEEP:
MD5:	99E6ACFB46923C4F8B29058E9EE6166B
SHA1:	AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
SHA-256:	9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
SHA-512:	4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....\|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................\|.......................x.

C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	439630
Entropy (8bit):	6.6906570508767995
Encrypted:	false
SSDEEP:
MD5:	BB7C995F257B9125457381BB01856D72
SHA1:	21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
SHA-256:	F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
SHA-512:	5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
Malicious:	false
Reputation:	unknown
Preview:	.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....\|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

C:\Users\user\AppData\Roaming\GamePall\log4net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	5.778490068583466
Encrypted:	false
SSDEEP:
MD5:	7EA1429E71D83A1CCAA0942C4D7F1C41
SHA1:	4CE6ACF4D735354B98F416B3D94D89AF0611E563
SHA-256:	EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
SHA-512:	91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>....?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}.......0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4.............//........{...."..}......{........0..4..........%...(5....-.~....r?..p(....+...}.......,..(6............')........{......{...."..}.......{...."..}....*.0..........

C:\Users\user\AppData\Roaming\GamePall\log4net.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1547797
Entropy (8bit):	4.370092880615517
Encrypted:	false
SSDEEP:
MD5:	32AB4E0A9A82245EE3B474EF811F558F
SHA1:	9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
SHA-256:	9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
SHA-512:	A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	342741
Entropy (8bit):	5.496697631795104
Encrypted:	false
SSDEEP:
MD5:	A58DB728B50E6B82CBDCAA0DB61D36B1
SHA1:	7CD76526CB29A0FF5350A2B52D48D1886360458B
SHA-256:	BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
SHA-512:	0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
Malicious:	false
Reputation:	unknown
Preview:	..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

C:\Users\user\AppData\Roaming\GamePall\resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	8226870
Entropy (8bit):	7.996842728494533
Encrypted:	true
SSDEEP:
MD5:	F7EC58AEA756F3FD8A055AC582103A78
SHA1:	086B63691F5E5375A537E99E062345F56512A22C
SHA-256:	517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
SHA-512:	C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
Malicious:	false
Reputation:	unknown
Preview:	............f.6:..{..D..\|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.\|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	276319
Entropy (8bit):	4.242318669799302
Encrypted:	false
SSDEEP:
MD5:	8234983533FA47D2A1D7710FF8274299
SHA1:	E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
SHA-256:	F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
SHA-512:	1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
Malicious:	false
Reputation:	unknown
Preview:	.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\start.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.8731406795131327
Encrypted:	false
SSDEEP:
MD5:	2C66F3C2190A84FAFD4449DAF6440EAC
SHA1:	7B9E4C94329FE26C34E63AB8336227FD5EB553E9
SHA-256:	58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
SHA-512:	62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
Malicious:	false
Reputation:	unknown
Preview:	start GamePall.exe OuWe5kl

C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	MSVC program database ver 7.00, 512*4023 bytes
Category:	dropped
Size (bytes):	2059776
Entropy (8bit):	4.067542396670122
Encrypted:	false
SSDEEP:
MD5:	70F9EAEA8A2A604E59F72EDE66F83AB4
SHA1:	0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
SHA-256:	38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
SHA-512:	47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
Malicious:	false
Reputation:	unknown
Preview:	Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	6.54104466243173
Encrypted:	false
SSDEEP:
MD5:	7A53AD3E5D2E65C982450E7B7453DE8A
SHA1:	99F27E54F1F61207C02110CAC476405557A8AD54
SHA-256:	24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
SHA-512:	2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2445312
Entropy (8bit):	6.750207745422387
Encrypted:	false
SSDEEP:
MD5:	334C3157E63A34B22CCE25A44A04835F
SHA1:	C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
SHA-256:	3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
SHA-512:	11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	631017
Entropy (8bit):	5.144793130466209
Encrypted:	false
SSDEEP:
MD5:	0794DF29DF8DFC3ECE5C443F864F5AEB
SHA1:	BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
SHA-256:	3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
SHA-512:	0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
Malicious:	false
Reputation:	unknown
Preview:	..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4400640
Entropy (8bit):	6.667314807988382
Encrypted:	false
SSDEEP:
MD5:	7F913E31D00082338F073EF60D67B335
SHA1:	AC831B45F2A32E23BA9046044508E47E04CDA3A4
SHA-256:	B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
SHA-512:	E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Reputation:	unknown
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826368
Entropy (8bit):	6.78646032943732
Encrypted:	false
SSDEEP:
MD5:	A031EB19C61942A26EF74500AD4B42DF
SHA1:	FDC6EA473234F153639E963E8EFB8D028DA1BE20
SHA-256:	207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
SHA-512:	80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....\|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......\|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.566524833521835
Encrypted:	false
SSDEEP:
MD5:	6D7FD214164C858BBCF4AA050C114E8C
SHA1:	B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
SHA-256:	3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
SHA-512:	0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\bbehcjh

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	216064
Entropy (8bit):	6.090876982937926
Encrypted:	false
SSDEEP:
MD5:	1409B5A7AC2A6BE45FA954730B058DA4
SHA1:	00EAB66887FF6FF4D6325D8A0E74ADB624FAF6DE
SHA-256:	1E7FB39C52BA502920D98374E0CDF8A2447C737BD0B88C06839E81BE3A751688
SHA-512:	AF224D8FDA6B8C6DF5AAE108DC5D300FEF45DEAB525109FC8D61498714D8B037BB63F2276E163C7997566C336FE6ED884B70282986E6EBAB22BFBBE6071D5642
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F. h..N;..N;..N;m..;..N;m..;..N;m..;Y.N;...;..N;..O;i.N;m..;..N;m..;..N;m..;..N;Rich..N;................PE..L....y}d......................}......,............@...........................~......w..........................................P....@~............................4...............................P...@............................................text...p........................... ..`.rdata...(.......(..................@..@.data.....\|.. ......................@....rsrc.......@~.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\bbehcjh:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.090876982937926
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NhWAWEhCi7.exe
File size:	216'064 bytes
MD5:	1409b5a7ac2a6be45fa954730b058da4
SHA1:	00eab66887ff6ff4d6325d8a0e74adb624faf6de
SHA256:	1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688
SHA512:	af224d8fda6b8c6df5aae108dc5d300fef45deab525109fc8d61498714d8b037bb63f2276e163c7997566c336fe6ed884b70282986e6ebab22bfbbe6071d5642
SSDEEP:	3072:SIJoMdlOBVvu8OnD7F7CE4BOe3uqHh+JJGmkx8:/dlOrvg0E4wQQJ2
TLSH:	9224CFC9B2E1D436D8A75A30AC38C2F53936BCB29765858B77483F6F3C722C15925362
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F. h..N;..N;..N;m..;..N;m..;..N;m..;Y.N;...;..N;..O;i.N;m..;..N;m..;..N;m..;..N;Rich..N;................PE..L....y}d...........

File Icon


Icon Hash:	63796de971436e0f

Static PE Info

General

Entrypoint:	0x402c90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x647D79D5 [Mon Jun 5 05:59:49 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8e7bd8110819d537a004b803ccf06ec4

Entrypoint Preview

Instruction
call 00007F5CCCE918ABh
jmp 00007F5CCCE8E2EEh
sub eax, 000003A4h
je 00007F5CCCE8E484h
sub eax, 04h
je 00007F5CCCE8E479h
sub eax, 0Dh
je 00007F5CCCE8E46Eh
dec eax
je 00007F5CCCE8E465h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h
ret
mov eax, 00000804h
ret
mov eax, 00000411h
ret
mov edi, edi
push esi
push edi
mov esi, eax
push 00000101h
xor edi, edi
lea eax, dword ptr [esi+1Ch]
push edi
push eax
call 00007F5CCCE91905h
xor eax, eax
movzx ecx, ax
mov eax, ecx
mov dword ptr [esi+04h], edi
mov dword ptr [esi+08h], edi
mov dword ptr [esi+0Ch], edi
shl ecx, 10h
or eax, ecx
lea edi, dword ptr [esi+10h]
stosd
stosd
stosd
mov ecx, 00422008h
add esp, 0Ch
lea eax, dword ptr [esi+1Ch]
sub ecx, esi
mov edi, 00000101h
mov dl, byte ptr [ecx+eax]
mov byte ptr [eax], dl
inc eax
dec edi
jne 00007F5CCCE8E459h
lea eax, dword ptr [esi+0000011Dh]
mov esi, 00000100h
mov dl, byte ptr [eax+ecx]
mov byte ptr [eax], dl
inc eax
dec esi
jne 00007F5CCCE8E459h
pop edi
pop esi
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0000051Ch
mov eax, dword ptr [00422B80h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
push edi
lea eax, dword ptr [ebp-00000518h]
push eax
push dword ptr [esi+04h]
call dword ptr [0041F0BCh]
mov edi, 00000100h

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20ee4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27e4000	0x95f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x20f34	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d670	0x1d800	603441d178ca325067949b30163f13fb	False	0.8762331170550848	data	7.742934136238854	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0x2800	0x2800	01ecc0619713840e6a65235053894b50	False	0.3533203125	OpenPGP Secret Key	4.9695090184411725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x27c15a4	0xb200	ce6c5a13374dbbf941e1c920aac1c5d6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27e4000	0x95f0	0x9600	217829c0a5a78bf348dd08daa45626cf	False	0.3616666666666667	data	4.490648025071329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RUPIKOFIJEDAJONAP	0x27e7608	0x136f	ASCII text, with very long lines (4975), with no line terminators	Japanese	Japan	0.5969849246231156
RT_CURSOR	0x27e8978	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x27e8ca8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x27e8e00	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x27e9ca8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x27ea550	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x27eaae8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x27eb990	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x27ec238	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_CURSOR	0x27ec7d0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x27ec900	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_ICON	0x27e4500	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Japanese	Japan	0.5351382488479263
RT_ICON	0x27e4bc8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Japanese	Japan	0.41161825726141077
RT_ICON	0x27e7170	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Japanese	Japan	0.44769503546099293
RT_STRING	0x27ecc68	0x732	data	Japanese	Japan	0.4218241042345277
RT_STRING	0x27ed3a0	0x24e	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Japanese	Japan	0.4847457627118644
RT_GROUP_CURSOR	0x27e8dd8	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x27eaab8	0x30	data			0.9166666666666666
RT_GROUP_CURSOR	0x27ec7a0	0x30	data			0.9375
RT_GROUP_CURSOR	0x27ec9b0	0x22	data			1.0588235294117647
RT_GROUP_ICON	0x27e75d8	0x30	data	Japanese	Japan	0.9375
RT_VERSION	0x27ec9d8	0x28c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.5230061349693251

Imports

DLL	Import
KERNEL32.dll	FindResourceA, IsBadStringPtrW, GetConsoleAliasesLengthW, CommConfigDialogA, SetEndOfFile, FindResourceW, LoadLibraryExW, InterlockedIncrement, CreateDirectoryW, GlobalLock, GetWindowsDirectoryA, GlobalFindAtomA, LoadLibraryW, AssignProcessToJobObject, ReplaceFileA, SetLastError, GetProcAddress, RemoveVectoredExceptionHandler, LocalAlloc, GetDiskFreeSpaceA, GlobalGetAtomNameW, OpenJobObjectW, EnumResourceTypesW, GetOEMCP, OpenFileMappingA, SetFileAttributesW, CreateFileW, SetStdHandle, WriteConsoleW, CloseHandle, SetFilePointer, GetDateFormatW, LoadLibraryA, GetSystemDefaultLangID, MultiByteToWideChar, DecodePointer, EncodePointer, GetLastError, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedDecrement, GetACP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, HeapCreate, HeapFree, HeapAlloc, WriteFile, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, GetStringTypeW, Sleep, RtlUnwind, HeapSize, IsProcessorFeaturePresent, GetConsoleCP, GetConsoleMode, FlushFileBuffers
USER32.dll	OpenIcon, CharUpperBuffW, GetClassInfoW, GetKeyboardLayoutNameW, DdeCmpStringHandles, GetCaretPos, SetMessageExtraInfo
ADVAPI32.dll	AreAllAccessesGranted, ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan

Target ID:	0
Start time:	05:40:57
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\NhWAWEhCi7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NhWAWEhCi7.exe"
Imagebase:	0x400000
File size:	216'064 bytes
MD5 hash:	1409B5A7AC2A6BE45FA954730B058DA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1751429960.0000000002EED000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1751297213.0000000002E80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1751333765.0000000002EA1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:41:04
Start date:	01/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:41:23
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\bbehcjh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bbehcjh
Imagebase:	0x400000
File size:	216'064 bytes
MD5 hash:	1409B5A7AC2A6BE45FA954730B058DA4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.1990395663.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1990497088.0000000002C7C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1990748003.0000000004851000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1990664978.0000000004820000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:41:40
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\9FC5.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\9FC5.exe
Imagebase:	0x3d0000
File size:	6'642'176 bytes
MD5 hash:	BD2EAC64CBDED877608468D86786594A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2185744877.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 23%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:41:51
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\D57C.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\D57C.exe
Imagebase:	0x400000
File size:	293'869 bytes
MD5 hash:	60172CA946DE57C3529E9F05CC502870
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 21%, ReversingLabs Detection: 9%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	05:43:16
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\setup.exe"
Imagebase:	0x400000
File size:	107'232'830 bytes
MD5 hash:	FF2293FBFF53F4BD2BFF91780FABFD60
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 3%, ReversingLabs Detection: 6%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:43:45
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Imagebase:	0x660000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 3%, ReversingLabs Detection: 11%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:43:50
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Imagebase:	0x970000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:43:50
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0xb0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:43:50
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3784 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0xc70000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:43:50
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013536112 --mojo-platform-channel-handle=4012 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x710000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:43:50
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719821616869761 --launch-time-ticks=6013552940 --mojo-platform-channel-handle=4092 --field-trial-handle=3180,i,14998134109693806898,1323138317393721428,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x9a0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:43:50
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xf30000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	05:43:51
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xf30000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:43:52
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xf30000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:43:52
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x150000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:43:53
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xa30000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	05:43:54
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x770000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:43:54
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x950000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	05:43:55
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x540000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	05:43:55
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x9e0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	05:43:55
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xde0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	05:43:55
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x640000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:43:56
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xe80000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:43:57
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xe10000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:43:57
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x180000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	05:43:57
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xab0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	05:43:57
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xa90000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	05:43:58
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xba0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	05:43:58
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xd80000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	05:43:58
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x430000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	05:43:58
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xd90000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	05:43:58
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xa50000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	05:43:59
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xa10000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	05:43:59
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xaa0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	05:43:59
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xab0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	28.6%
Signature Coverage:	65.3%
Total number of Nodes:	98
Total number of Limit Nodes:	3

Executed Functions

Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69

Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65

Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24

Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64

Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64

Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64

Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64

Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040311D
NtTerminateProcess.NTDLL ref: 00403136

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5

Function 02EF46EB Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02EF4713
Module32First.KERNEL32(00000000,00000224), ref: 02EF4733

Memory Dump Source

Source File: 00000000.00000002.1751429960.0000000002EED000.00000040.00000020.00020000.00000000.sdmp, Offset: 02EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eed000_NhWAWEhCi7.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: eb2166a5f8d4330edab05fa65c7c3214a13804af260908b61a8ff5a69aa87408
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: DBF0F632140710ABD7603FF8A88CB6F72F8BF4A229F105128E746D10C0DBB0E8054A60

Function 02E7003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E7024D

Strings

kernel32.dll, xrefs: 02E7008F, 02E70095
cess, xrefs: 02E7018D

Memory Dump Source

Source File: 00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_NhWAWEhCi7.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f625b8ae37e17fafa08ebec449de84c6b8e2a062f9a9379ec7f4c2136ba921ec
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 79526975A01229DFDB64CF68C984BACBBB1BF09314F1480D9E94DAB351DB30AA85DF14

Function 02E70E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02E70223,?,?), ref: 02E70E19
SetErrorMode.KERNELBASE(00000000,?,?,02E70223,?,?), ref: 02E70E1E

Memory Dump Source

Source File: 00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_NhWAWEhCi7.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: b950b269651ff8bbeff7d66271b89f666c762e6e43135f856d3d222814fe3b41
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: AFD0123114512877DB002A94DC09BCD7B1CDF09B66F008011FB0DD9080C770954046E5

Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F

Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F

Function 02EF43AA Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02EF43FB

Memory Dump Source

Source File: 00000000.00000002.1751429960.0000000002EED000.00000040.00000020.00020000.00000000.sdmp, Offset: 02EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eed000_NhWAWEhCi7.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 6fa8c931baf2c7871800efc893cda40df80d017c41b60ad5627ab596d67d028c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 01112B79A40208EFDB01DF98C985E99BBF5AF08750F05C094FA48AB361D371EA50EF80

Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F

Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F

Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.1749935628.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NhWAWEhCi7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

Non-executed Functions

Function 02E7092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02E70966
GetProcAddress., xrefs: 02E709DC, 02E709DF, 02E709E4
., xrefs: 02E7095F

Memory Dump Source

Source File: 00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_NhWAWEhCi7.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 287e713a2db326786889162caae7903c639500ec7d0b6593386faa682be91b37
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 5F3148B6910609DFDB10CF99C880AEEBBF9FF48328F15904AD841A7210D771EA45CBA4

Function 02EF3FC8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751429960.0000000002EED000.00000040.00000020.00020000.00000000.sdmp, Offset: 02EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eed000_NhWAWEhCi7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 9c0ac53d566da7ee85748f0f96da6336f4a02dd4eea8e0055eba38e1e709fc7f
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 851182723801019FD754DF55DC81EA773EAEB88324B19C065EE04CB751D679EC01CB60

Function 02E70D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751277503.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_NhWAWEhCi7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 697f7021d345f88e18bf6641047f8299271f0363d8c5745f2195e1f4aa7645a0
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 04012672A506008FDF21CF60D804BAA33F5FB8630AF1590B5DA0AD7281E370A941CB80

Analysis Process: bbehcjhPID: 7648, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	28.6%
Signature Coverage:	0%
Total number of Nodes:	98
Total number of Limit Nodes:	3

Executed Functions

Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69

Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65

Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24

Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64

Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64

Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64

Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64

Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040311D
NtTerminateProcess.NTDLL ref: 00403136

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5

Function 02C5003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C5024D

Strings

kernel32.dll, xrefs: 02C5008F, 02C50095
cess, xrefs: 02C5018D

Memory Dump Source

Source File: 00000005.00000002.1990395663.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c50000_bbehcjh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: e960cce4acba98ac68a39fa51e6040441086c40ca2c0e3b12c514bf97e7ed000
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: A0525875A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA85DF14

Function 02C83613 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C8363B
Module32First.KERNEL32(00000000,00000224), ref: 02C8365B

Memory Dump Source

Source File: 00000005.00000002.1990497088.0000000002C7C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C7C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c7c000_bbehcjh.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: acf236ef9bba46edb9e7693892f578a27d90a4f9630f776379643a6884fb37a7
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 4DF0F635200351AFD7203BFD988CB6E72E8BF88A2CF109168E643D31C0DB70E9058A65

Function 02C50E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C50223,?,?), ref: 02C50E19
SetErrorMode.KERNELBASE(00000000,?,?,02C50223,?,?), ref: 02C50E1E

Memory Dump Source

Source File: 00000005.00000002.1990395663.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c50000_bbehcjh.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: c998ced5b4aa7406a05d05b96303911ae47e2db1e17efe11ca91a907a80a0a56
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 2CD0123114512877D7002A94DC09BCD7B1CDF09B66F108011FB0DD9080C7B0964046E9

Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F

Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F

Function 02C832D2 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C83323

Memory Dump Source

Source File: 00000005.00000002.1990497088.0000000002C7C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C7C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c7c000_bbehcjh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 72f3dd1075dd79e74cb3253d1050b2fcbfc678865891ee5be2c9037052733516
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3B113C79A00208EFDB01DF98C985E98BBF5AF08751F09C094F9489B361D771EA50EF90

Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F

Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F

Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000005.00000002.1989212080.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bbehcjh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

Analysis Process: setup.exePID: 6848, Parent PID: 7824COMMON

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.2%
Total number of Nodes:	1368
Total number of Limit Nodes:	27

Executed Functions

Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004034EF
GetVersionExA.KERNEL32(?), ref: 00403518
GetVersionExA.KERNEL32(0000009C), ref: 0040352F
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
OleInitialize.OLE32(00000000), ref: 0040363C
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403808
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
ExitProcess.KERNEL32 ref: 004038D4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0041F910,00000001), ref: 0040399B
CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
ExitProcess.KERNEL32 ref: 00403A76

Strings

~nsu, xrefs: 004038DF
"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403675, 0040367B, 0040382A
", xrefs: 004036CC
.tmp, xrefs: 004038FB
TMP, xrefs: 004037EF
C:\Users\user\AppData\Local\Temp, xrefs: 00403906, 0040390B, 00403938
1033, xrefs: 00403803
C:\Users\user\AppData\Roaming\GamePall, xrefs: 00403891
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034E1
A, xrefs: 0040356A
TEMP, xrefs: 004037E7
SeShutdownPrivilege, xrefs: 00403A0B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403797, 0040379C, 004037B2, 004037BE, 004037CD, 004037DA, 004037E6, 004037EE, 004038E4, 004038F5, 00403900, 0040390C, 00403919, 00403928, 004039DD
Error launching installer, xrefs: 0040386C
Low, xrefs: 004037D5
NSIS Error, xrefs: 00403660
C:\Users\user\AppData\Roaming\GamePall, xrefs: 00403787, 00403886, 0040392F, 00403939
\Temp, xrefs: 004037B9
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00403996
UXTHEME, xrefs: 004035EC, 004035F1, 004035F7

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-56685449
Opcode ID: 52eec0119052631d70130b9923c1eece19bfae2d8fd8cd18d56f0b379d03721e
Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
Opcode Fuzzy Hash: 52eec0119052631d70130b9923c1eece19bfae2d8fd8cd18d56f0b379d03721e
Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E

Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
FindFirstFileA.KERNELBASE(00421D58,?,?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
FindClose.KERNEL32(00000000), ref: 00405CB1

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
\*.*, xrefs: 00405BB5

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
API String ID: 2035342205-2430568624
Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69

Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45

Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(74DF3410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 0040670A
FindClose.KERNEL32(00000000), ref: 00406716

Strings

C:\, xrefs: 004066FF

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC

Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,?,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410), ref: 00403C5E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

RegisterClassA.USER32(00423EE0), ref: 00403D02
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
RegisterClassA.USER32(00423EE0), ref: 00403DC7
DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403B71
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, xrefs: 00403C2C, 00403C34, 00403C41, 00403C8B, 00403C91
RichEdit, xrefs: 00403DB8
RichEdit20A, xrefs: 00403DA9, 00403DAF
1033, xrefs: 00403B8E, 00403BE4
Control Panel\Desktop\ResourceLocale, xrefs: 00403BA2
RichEd32, xrefs: 00403D99
C:\Users\user\AppData\Local\Temp\, xrefs: 00403B73
C:\Users\user\AppData\Roaming\GamePall, xrefs: 00403BF8, 00403C00, 00403C98, 00403C9E, 00403CAE
.DEFAULT\Control Panel\International, xrefs: 00403BD4
_Nb, xrefs: 00403CE1, 00403D49
RichEd20, xrefs: 00403D8B
PB, xrefs: 00403B9A
.exe, xrefs: 00403C6B
>B, xrefs: 00403CD4

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
API String ID: 1975747703-4005560175
Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D

Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C

Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
Inst, xrefs: 00403041
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
Error launching installer, xrefs: 00402FAC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
soft, xrefs: 0040304A
C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
Null, xrefs: 00403053

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1937576205
Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C

Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400), ref: 00406549
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 004065A6
CoTaskMemFree.OLE32(00000000), ref: 004065B2
lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406518
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, xrefs: 00406445, 00406515, 00406516, 00406517, 00406533, 00406548, 0040655B, 00406577, 004065A2, 004065D5, 004065DB, 004065F3, 00406606, 00406621, 00406627, 0040662F, 00406659

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2103940979
Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\GamePall, xrefs: 00401786

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe
API String ID: 1941528284-2333790722
Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE

Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
wsprintfA.USER32 ref: 00406776
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A

Strings

\, xrefs: 0040674E
%s%s.dll, xrefs: 00406770
UXTHEME, xrefs: 0040672F

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
String ID:
API String ID: 2989416154-0
Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68

Function 004020A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Strings

0-q, xrefs: 0040211F

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: 0-q
API String ID: 2987980305-3691128775
Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E

Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F5E
GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78

Strings

nsa, xrefs: 00405F55
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4D

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798

Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
C:\Users\user\AppData\Local\Temp\nsk862A.tmp\, xrefs: 00403AB2

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsk862A.tmp\
API String ID: 2962429428-3453386264
Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\GamePall, xrefs: 00401631

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\GamePall
API String ID: 1892508949-2308708932
Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E

Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 00405E6B

Strings

C:\, xrefs: 00405E0E, 00405E13, 00405E19, 00405E54, 00405E5A, 00405E62, 00405E6A

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE

Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45

Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45

Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45

Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45

Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403319

Part of subcall function 00403484: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
SetFilePointer.KERNELBASE(155C335B,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNELBASE(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68

Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
Opcode Fuzzy Hash: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679

Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EF6: GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
Part of subcall function 00405EF6: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F

RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B1D
DeleteFileA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B25
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD

Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9

Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
Opcode Fuzzy Hash: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D

Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
CloseHandle.KERNEL32(?), ref: 00405A57

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78

Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
Part of subcall function 00406726: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C

Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D

Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734

Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0040C475,0040B8F8,00403405,0040B8F8,0040C475,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4

Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8

Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Part of subcall function 00405A21: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

Non-executed Functions

Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405646
GetDlgItem.USER32(?,000003EE), ref: 00405655
GetClientRect.USER32(?,?), ref: 00405692
GetSystemMetrics.USER32(00000002), ref: 00405699
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
ShowWindow.USER32(?,00000008), ref: 00405735
GetDlgItem.USER32(?,000003EC), ref: 00405756
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
GetDlgItem.USER32(?,000003F8), ref: 00405664

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

GetDlgItem.USER32(?,000003EC), ref: 004057A7
CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
CloseHandle.KERNEL32(00000000), ref: 004057BC
ShowWindow.USER32(00000000), ref: 004057DF
ShowWindow.USER32(?,00000008), ref: 004057E6
ShowWindow.USER32(00000008), ref: 0040582C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
CreatePopupMenu.USER32 ref: 00405871
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
GetWindowRect.USER32(?,000000FF), ref: 004058A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
OpenClipboard.USER32(00000000), ref: 0040590B
EmptyClipboard.USER32 ref: 00405911
GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
GlobalLock.KERNEL32(00000000), ref: 00405924
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
GlobalUnlock.KERNEL32(00000000), ref: 00405951
SetClipboardData.USER32(00000001,00000000), ref: 0040595C
CloseClipboard.USER32 ref: 00405962

Strings

PB, xrefs: 004058D7

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58

Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048E6
SetWindowTextA.USER32(00000000,?), ref: 00404910
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
CoTaskMemFree.OLE32(00000000), ref: 004049CC
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420D50), ref: 004049FE
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 00404A0A
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C

Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95

Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
Part of subcall function 00406666: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5

Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

A, xrefs: 004049BA
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, xrefs: 004049F8, 004049FD, 00404A08
C:\Users\user\AppData\Roaming\GamePall, xrefs: 004049E7
PB, xrefs: 00404994

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$PB
API String ID: 2624150263-3665957329
Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\GamePall, xrefs: 00402238

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\GamePall
API String ID: 123533781-2308708932
Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54

Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A

Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E21
GetDlgItem.USER32(?,00000408), ref: 00404E2E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
DeleteObject.GDI32(00000110), ref: 00404F0B
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
GetWindowLongA.USER32(?,000000F0), ref: 0040504E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
ShowWindow.USER32(?,00000005), ref: 0040506C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
ImageList_Destroy.COMCTL32(?), ref: 0040523A
GlobalFree.KERNEL32(?), ref: 0040524A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
ShowWindow.USER32(?,00000000), ref: 004053F4
GetDlgItem.USER32(?,000003FE), ref: 004053FF
ShowWindow.USER32(00000000), ref: 00405406

Strings

, xrefs: 004053DE
N, xrefs: 004050A5
M, xrefs: 00404FC4

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58

Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
ShowWindow.USER32(?), ref: 00403F67
GetWindowLongA.USER32(?,000000F0), ref: 00403F79
ShowWindow.USER32(?,00000004), ref: 00403F92
DestroyWindow.USER32 ref: 00403FA6
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
GetDlgItem.USER32(?,?), ref: 00403FDE
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
IsWindowEnabled.USER32(00000000), ref: 00403FF9
GetDlgItem.USER32(?,00000001), ref: 004040A4
GetDlgItem.USER32(?,00000002), ref: 004040AE
SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
GetDlgItem.USER32(?,00000003), ref: 004041BF
ShowWindow.USER32(00000000,?), ref: 004041E0
EnableWindow.USER32(?,?), ref: 004041F2
EnableWindow.USER32(?,?), ref: 0040420D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
EnableMenuItem.USER32(00000000), ref: 0040422A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
SetWindowTextA.USER32(?,00420D50), ref: 0040428E
ShowWindow.USER32(?,0000000A), ref: 004043C2

Strings

PB, xrefs: 0040426F

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 1860320154-3196168531
Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D

Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
GetSysColor.USER32(?), ref: 0040463E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
lstrlenA.KERNEL32(?), ref: 0040465F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
GetDlgItem.USER32(?,0000040A), ref: 004046E5
SendMessageA.USER32(00000000), ref: 004046E8
GetDlgItem.USER32(?,000003E8), ref: 00404713
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
LoadCursorA.USER32(00000000,00007F02), ref: 00404762
SetCursor.USER32(00000000), ref: 0040476B
LoadCursorA.USER32(00000000,00007F00), ref: 00404781
SetCursor.USER32(00000000), ref: 00404784
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4

Strings

N, xrefs: 00404701
6B, xrefs: 0040476F

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98

Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B

Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
wsprintfA.USER32 ref: 00406066
GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
GlobalFree.KERNEL32(00000000), ref: 0040614F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156

Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Strings

.B, xrefs: 00406044
.B, xrefs: 0040603D
[Rename], xrefs: 004060D0, 004060E2
%s=%s, xrefs: 0040605C
*B, xrefs: 00406010

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]$*B$.B$.B
API String ID: 2171350718-3836630945
Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4

Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
SetWindowTextA.USER32(00420530,00420530), ref: 00405517
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

4/@, xrefs: 004054EF, 00405501

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8

Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
*?|<>/":, xrefs: 004066AE
C:\Users\user\AppData\Local\Temp\, xrefs: 00406667

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1678727643
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,0000D822), ref: 00402EB6

Strings

#Vh%.@, xrefs: 00402F34
... %d%%, xrefs: 00402F1B

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE

Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404489
GetSysColor.USER32(00000000), ref: 004044C7
SetTextColor.GDI32(?,00000000), ref: 004044D3
SetBkMode.GDI32(?,?), ref: 004044DF
GetSysColor.USER32(?), ref: 004044F2
SetBkColor.GDI32(?,?), ref: 00404502
DeleteObject.GDI32(?), ref: 0040451C
CreateBrushIndirect.GDI32(?), ref: 00404526

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54

Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
GetMessagePos.USER32 ref: 00404D7B
ScreenToClient.USER32(?,?), ref: 00404D95
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD

Strings

f, xrefs: 00404DA9

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4

Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
GetLastError.KERNEL32 ref: 004059C6
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
GetLastError.KERNEL32 ref: 004059E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405995
!9@, xrefs: 00405984

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: !9@$C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-2369717338
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

verifying installer: %d%%, xrefs: 00402E69, 00402E72
unpacking data: %d%%, xrefs: 00402E62

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99

Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
wsprintfA.USER32 ref: 00404CF4
SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

PB, xrefs: 00404CDE
%u.%u%s%s, xrefs: 00404CD6

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18

Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD

Function 00401B87 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00712D30), ref: 00401BF6
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C08

Strings

C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, xrefs: 00401BAE, 00401BB4, 00401BCE
0-q, xrefs: 00401B8A, 00401BBA, 00401BC9, 00401BF1, 00401C1C, 00401C23

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFree
String ID: 0-q$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
API String ID: 3394109436-4173110862
Opcode ID: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction ID: d16732292a7d53aa36264d1983316191a85a40c43d81ca2894a5c6bdb3dae948
Opcode Fuzzy Hash: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction Fuzzy Hash: 6921A872600208ABC720EB65CEC495E73E8EB89314765493BF502F72E1DB7CA8518B9D

Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
CharNextA.USER32(00000000), ref: 00405DC6
CharNextA.USER32(00000000), ref: 00405DDA

Strings

C:\, xrefs: 00405DB4

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA

Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040544C
CallWindowProcA.USER32(?,?,?,?), ref: 0040549D

Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463

Strings

, xrefs: 0040542D

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A

Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00406527,80000002), ref: 004062B5
RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530), ref: 004062C0

Strings

C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, xrefs: 00406272, 004062A6

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
API String ID: 3356406503-2798812489
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8

Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405D61

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-47812868
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD

Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

Memory Dump Source

Source File: 00000009.00000002.3698670022.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3698642252.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698699251.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698724349.000000000042A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000009.00000002.3698805003.000000000042E000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

Analysis Process: GamePall.exePID: 3524, Parent PID: 6848COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	43
Total number of Limit Nodes:	4

Executed Functions

Function 0622AD10 Relevance: 14.2, Strings: 11, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 0622B240
(bq, xrefs: 0622B1E8
(bq, xrefs: 0622B190
c^q, xrefs: 0622AE64
c^q, xrefs: 0622AE6E
(bq, xrefs: 0622B10C
(bq, xrefs: 0622B138
(bq, xrefs: 0622B1BC
(bq, xrefs: 0622B214
(bq, xrefs: 0622B164
c^q, xrefs: 0622AE52

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$c^q$c^q$c^q
API String ID: 0-1042430095
Opcode ID: aef20669a45eb972bbc61a833c04b7d7aba0cf6a7d5e1c6a4ab9e59909f4d90b
Instruction ID: 8d352187d6895768ed1174077f9ca5713134d172b1d9d14bc834d8340aab4c39
Opcode Fuzzy Hash: aef20669a45eb972bbc61a833c04b7d7aba0cf6a7d5e1c6a4ab9e59909f4d90b
Instruction Fuzzy Hash: CCF17A34B20522DFC798AF29C49492D7BF2BF8970576549A8E84AEB360DF30DC45CB81

Function 00EED3E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EED46E
GetCurrentThread.KERNEL32 ref: 00EED4AB
GetCurrentProcess.KERNEL32 ref: 00EED4E8
GetCurrentThreadId.KERNEL32 ref: 00EED541

Strings

j{>, xrefs: 00EED40C

Memory Dump Source

Source File: 0000000A.00000002.3555046996.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee0000_GamePall.jbxd

Similarity

API ID: Current$ProcessThread
String ID: j{>
API String ID: 2063062207-2355871145
Opcode ID: 0ddb11d5961933cf78a053f7a36d571a98a17be070facc492441604599e15589
Instruction ID: df7de7353579a0312d8c479f17803904008c2a17d95a90b6c12061406811328a
Opcode Fuzzy Hash: 0ddb11d5961933cf78a053f7a36d571a98a17be070facc492441604599e15589
Instruction Fuzzy Hash: B25167B0D002498FDB14DFAAD948B9EBBF1EB48304F208459E419B73A0D775A985CB65

Function 00EED3F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EED46E
GetCurrentThread.KERNEL32 ref: 00EED4AB
GetCurrentProcess.KERNEL32 ref: 00EED4E8
GetCurrentThreadId.KERNEL32 ref: 00EED541

Strings

j{>, xrefs: 00EED40C

Memory Dump Source

Source File: 0000000A.00000002.3555046996.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee0000_GamePall.jbxd

Similarity

API ID: Current$ProcessThread
String ID: j{>
API String ID: 2063062207-2355871145
Opcode ID: 161dd7bcb29b78df67a169f0ca8757002cc941b35db854b46cb5385b67efb5e8
Instruction ID: 8e64c149cd82804e38351800b9f1d2d35a46f9e1ff6a36034f087406af41375b
Opcode Fuzzy Hash: 161dd7bcb29b78df67a169f0ca8757002cc941b35db854b46cb5385b67efb5e8
Instruction Fuzzy Hash: C55167B0900249CFDB14DFAAD948B9EBBF1EB88304F20C459E019B73A0D775A985CF65

Function 062224E0 Relevance: 5.2, Strings: 4, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06222683
$^q, xrefs: 062225A2
$^q, xrefs: 0622268F
$^q, xrefs: 06222596

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 1f621f15d84bf327cfbf754a09db5ba352c97ed7063d86dfa093eb2b1556a833
Instruction ID: 13960b1c9bef5341f6181bdc3b82d2dc5d463564381feba4da86274c49e4bf92
Opcode Fuzzy Hash: 1f621f15d84bf327cfbf754a09db5ba352c97ed7063d86dfa093eb2b1556a833
Instruction Fuzzy Hash: 2D713C31721016EFCB49AF68C89896E7BB6FF886107104469F906CB365CF32DD55CBA1

Function 06224E10 Relevance: 4.3, Strings: 3, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 0622517D
(bq, xrefs: 062251F8
(bq, xrefs: 06225250

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 5934c61db7c9eae3d65070a847d9585adc64efc731898b615dfbe48bdaf98e61
Instruction ID: b9a7d70264f15db87f494f2b98a7eba912acbd8c258f162dc6308da2c2a7cfb0
Opcode Fuzzy Hash: 5934c61db7c9eae3d65070a847d9585adc64efc731898b615dfbe48bdaf98e61
Instruction Fuzzy Hash: 59221E34A1021ADFDB54DF64D994A9EBBB2FF88310F208558E906AB365CB31EC55CF90

Function 0622AD01 Relevance: 4.0, Strings: 3, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c^q, xrefs: 0622AE6E
c^q, xrefs: 0622AE64
c^q, xrefs: 0622AE52

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: c^q$c^q$c^q
API String ID: 0-1173078842
Opcode ID: 0685332a381eaf6243213f1fd0d4887e67a24aba760c9fe438364b160cea10dd
Instruction ID: 66c5f1a848067b3c6ec7a8d2b71746dd57d0d19475d7c70390ab098de5a57df7
Opcode Fuzzy Hash: 0685332a381eaf6243213f1fd0d4887e67a24aba760c9fe438364b160cea10dd
Instruction Fuzzy Hash: 9E915B71B20522DFC798CF29C59492977F1BF8971572545A8E84AEB331DB31EC85CB80

Function 062297F8 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0622986B
$^q, xrefs: 0622985F
(bq, xrefs: 06229964

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$$^q$$^q
API String ID: 0-1326376818
Opcode ID: e9fe09d7cd5b2a20534ba6c828cb3741b3e7aaeee3170fd7a946ebdbbf556c6e
Instruction ID: 09132e5c84bfcf7116f4e7bb25303d21bf5497666c59d7ad3f5ad06d072952b4
Opcode Fuzzy Hash: e9fe09d7cd5b2a20534ba6c828cb3741b3e7aaeee3170fd7a946ebdbbf556c6e
Instruction Fuzzy Hash: 9451BE30F20126DFD7989F2AC498A6D77F6AF89650F1440AAE906DB3A1CE71DC41CB91

Function 06222F08 Relevance: 3.9, Strings: 3, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 06223904
(bq, xrefs: 06223A95
(bq, xrefs: 062239C1

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: faf634ae9b3011f130dee05f199c52798b3a40505b445055b45d1e67dbfebfe7
Instruction ID: 68764a2e3c4d4601dfe206ee94a22a577aa04cbeb197bbf0b286058fdb402d4f
Opcode Fuzzy Hash: faf634ae9b3011f130dee05f199c52798b3a40505b445055b45d1e67dbfebfe7
Instruction Fuzzy Hash: 5641F430724322EFD7648B28D49473AB7B1EF04314F14885AEC47C7A91CBBAE9828790

Function 053E7158 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

j{>, xrefs: 053E725F

Memory Dump Source

Source File: 0000000A.00000002.3683986069.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_GamePall.jbxd

Similarity

API ID:
String ID: j{>
API String ID: 0-2355871145
Opcode ID: 091c19b7c54f295674f36e311da996f85c94d045f8b81b4bdc30f5a10ac0dfc1
Instruction ID: 0b232708e6a82ff9ee4877d07782f489129599270f3d9bdfb9b83eafede80930
Opcode Fuzzy Hash: 091c19b7c54f295674f36e311da996f85c94d045f8b81b4bdc30f5a10ac0dfc1
Instruction Fuzzy Hash: 17412272D043A98FCB00DFB9E8543DEBBF5AF89210F18856AD449E7281EB749841CB91

Function 00EED630 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EED6BF

Strings

j{>, xrefs: 00EED657

Memory Dump Source

Source File: 0000000A.00000002.3555046996.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee0000_GamePall.jbxd

Similarity

API ID: DuplicateHandle
String ID: j{>
API String ID: 3793708945-2355871145
Opcode ID: d0d3af475bc29c40ea7a69753da74214d59c7004e6112c8dc15262ceab2756ca
Instruction ID: 4d7da3a40a65db377090fcf6af1d9903615a9e638a50fae26222348ce8b3e4ca
Opcode Fuzzy Hash: d0d3af475bc29c40ea7a69753da74214d59c7004e6112c8dc15262ceab2756ca
Instruction Fuzzy Hash: 8E2114B5D002599FDB10CF9AD884ADEBFF4EB48324F10841AE918A3350D378A945CFA4

Function 00EED638 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EED6BF

Strings

j{>, xrefs: 00EED657

Memory Dump Source

Source File: 0000000A.00000002.3555046996.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee0000_GamePall.jbxd

Similarity

API ID: DuplicateHandle
String ID: j{>
API String ID: 3793708945-2355871145
Opcode ID: da442c56242bccacd2f6a6a910e7370b7ce3e0e55ff844d72a7c10a0f3bbaca8
Instruction ID: 29e758842312040c5f904ec0f68faa5f65ed250ad159a0c91b6c3f05ea6626e8
Opcode Fuzzy Hash: da442c56242bccacd2f6a6a910e7370b7ce3e0e55ff844d72a7c10a0f3bbaca8
Instruction Fuzzy Hash: AC21F5B59002599FDB10CF9AD984ADEFFF4FB48324F14841AE918A3350D378A944CFA4

Function 00EEE020 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 00EEE090

Strings

j{>, xrefs: 00EEE042

Memory Dump Source

Source File: 0000000A.00000002.3555046996.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee0000_GamePall.jbxd

Similarity

API ID: InfoParametersSystem
String ID: j{>
API String ID: 3098949447-2355871145
Opcode ID: a53e05c64c62d8c6ab2a7ee1247896ec641eaf1235f53f5464eff22a2dd5404e
Instruction ID: 954871be61eea7454e39a84928a5d7fd0abfb28b3933703c0dfb667972c24f3e
Opcode Fuzzy Hash: a53e05c64c62d8c6ab2a7ee1247896ec641eaf1235f53f5464eff22a2dd5404e
Instruction Fuzzy Hash: 991137B28002499FCB20CF9AD444BDEBFF4FB48320F208429E558A7250D375A545CFA5

Function 00EED1CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 00EEE090

Strings

j{>, xrefs: 00EEE042

Memory Dump Source

Source File: 0000000A.00000002.3555046996.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee0000_GamePall.jbxd

Similarity

API ID: InfoParametersSystem
String ID: j{>
API String ID: 3098949447-2355871145
Opcode ID: 223c4f4830ca523788430bf2c0428313475ae6eb94113e50efcd2b34e912a345
Instruction ID: 8b2b966acbbc6d934a40c860b6e06f32bad77223ab14c81af2b462bc86967b65
Opcode Fuzzy Hash: 223c4f4830ca523788430bf2c0428313475ae6eb94113e50efcd2b34e912a345
Instruction Fuzzy Hash: 221134B59006499FCB20DF9AC845BDEBFF4EB48320F208429E558A7351D379A944CFA4

Function 053E7240 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 053E72A7

Strings

j{>, xrefs: 053E725F

Memory Dump Source

Source File: 0000000A.00000002.3683986069.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_GamePall.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: j{>
API String ID: 1890195054-2355871145
Opcode ID: 303fe8977fec3d00ab6ed569286effa9857056cc7c3969e12e70df3444a8b95b
Instruction ID: af83440bb1cb2a519f89f80ecc7701da30028cb71e53bc76e5430c1777465548
Opcode Fuzzy Hash: 303fe8977fec3d00ab6ed569286effa9857056cc7c3969e12e70df3444a8b95b
Instruction Fuzzy Hash: 7311F3B1C0066A9BCB10DF9AC544BDEFBF4FF48324F14816AE818A7250D378A944CFA5

Function 06226128 Relevance: 2.5, Strings: 2, Instructions: 15COMMON

Download Yara Rule

Strings

$^q, xrefs: 06226147
$^q, xrefs: 06226153

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 3b29399525ad2f57ede54475e8b14e98d3fa504e6c0048e7030a8ecd5802faac
Instruction ID: e04710f9e2154037b16fe3abb59bc826d0183ba964e625b6923e34035e21630a
Opcode Fuzzy Hash: 3b29399525ad2f57ede54475e8b14e98d3fa504e6c0048e7030a8ecd5802faac
Instruction Fuzzy Hash: 10D01232E2A2875FDB6A1B6158241607FA52A4354034A40DBC4518F7E7DD59DC48C716

Function 06226ECA Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

c^q, xrefs: 0622708C

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: c^q
API String ID: 0-1660175743
Opcode ID: 42faeb4a96643ed44a397df6fd22383844d502d23ba067463a023e10c5188af4
Instruction ID: 7414aa54ac475d603867ddea61b3c6f6c33f98ba95842c6f836004fbd47e74ba
Opcode Fuzzy Hash: 42faeb4a96643ed44a397df6fd22383844d502d23ba067463a023e10c5188af4
Instruction Fuzzy Hash: F1D14E31A10225CFDB949F78C8557ADBBB2BB88300F1485A9E90ADB380DF758D85CF90

Function 06221440 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

(bq, xrefs: 06221636

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: da03a0ddcffc8d1db50d3aaf349de12efa70515200c3c978c72ed91ead4f24a1
Instruction ID: 9a74f764b1d5a3adfdd205b5f7f87285c84ea53209e24889e1980f06b0215f39
Opcode Fuzzy Hash: da03a0ddcffc8d1db50d3aaf349de12efa70515200c3c978c72ed91ead4f24a1
Instruction Fuzzy Hash: 5591A135B20127AFD7549F65C888F6E7BF6AF88610F184165EE06DB390DA70DC11CB90

Function 0622FA98 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

$v, xrefs: 0622FD32

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: $v
API String ID: 0-3355732802
Opcode ID: cf8c6287cf0be72152595574a36588fc0195002236b49d79e615020442d4f262
Instruction ID: 81f33211c995dc29fd30297f294d2f0df0c1b5c5090743ade7b9550fb6f9fb55
Opcode Fuzzy Hash: cf8c6287cf0be72152595574a36588fc0195002236b49d79e615020442d4f262
Instruction Fuzzy Hash: 24916F70A107129FCB84EF79C59052EBBF2FF883007108A29D85ACB755EB74E945CB90

Function 062285F8 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

4c^q, xrefs: 06228748

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: 4c^q
API String ID: 0-396817635
Opcode ID: 686ee9c428c44a51d3b72fefc6a82bbb8d8caf251e4baaca44ee964ea5bdf00f
Instruction ID: 755921f38b514c273f9ae593014c384e8119a964ddc47c92e36eb2e8399ac614
Opcode Fuzzy Hash: 686ee9c428c44a51d3b72fefc6a82bbb8d8caf251e4baaca44ee964ea5bdf00f
Instruction Fuzzy Hash: 8C61A035A2011BEFDB44DFA4C8C0AA9B7F6FF48300F148665ED099B256DB35D989CB90

Function 0622E3F0 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

8u, xrefs: 0622E4EC

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: 8u
API String ID: 0-2141306415
Opcode ID: e503b7ecf5ba0b994f900c7a27bd6c285275eb2313682164c0441dc803b30dc6
Instruction ID: 8bc1f776388c5f2311c81edbcae374f8050a4a9bf67005e2f709917677c3a62e
Opcode Fuzzy Hash: e503b7ecf5ba0b994f900c7a27bd6c285275eb2313682164c0441dc803b30dc6
Instruction Fuzzy Hash: C061C238205301DFC315EF28D985A59BBF2FB48310B0585A9E8499F376DB35ED8ACB91

Function 06229F18 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

(, xrefs: 06229FB9

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 261ecfa27d03fc39c2d075989bf981a0f7380fef5ad710279aeba52e899f011c
Instruction ID: 297f1e6248d9a95b2fa545d8b8fa34f71feb0e171204a3f64ebc6a59479d9d2b
Opcode Fuzzy Hash: 261ecfa27d03fc39c2d075989bf981a0f7380fef5ad710279aeba52e899f011c
Instruction Fuzzy Hash: 78512A327102169FCB10CF58D884BABBBB6FF89300B148466FA06C7671DB31D991D7A0

Function 0622B760 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0622B894

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 8ba62e852bf04b3da40f3e4a27ebabda42be7007bef3e6e468c688f5e35ac729
Instruction ID: 5c889f585520d1000bb06e68301ae2a985f3c02d6013c05d318e375df8417815
Opcode Fuzzy Hash: 8ba62e852bf04b3da40f3e4a27ebabda42be7007bef3e6e468c688f5e35ac729
Instruction Fuzzy Hash: 424157317082949FC746AF78D86066E7FB7EFC6701B15449AE584DB392CE318D09C3A1

Function 06222ED3 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

], xrefs: 06222F19

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 7d56edd9172e2e124c151a77fcb24f54540ccccccb0261f855513be8f369a148
Instruction ID: 113fe3954bcf1a716c9f098e4d60b415168e58a59631db9b29bed63c40d143df
Opcode Fuzzy Hash: 7d56edd9172e2e124c151a77fcb24f54540ccccccb0261f855513be8f369a148
Instruction Fuzzy Hash: 5A4108305297A2DFC3658B38C89462ABBF0EF06300B19489BDCC3CB652D7B9E945C761

Function 062285E8 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

4c^q, xrefs: 06228748

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: 4c^q
API String ID: 0-396817635
Opcode ID: bc0863f73882664f0a8a22357078b1acadfdb3ce3b770bbf1438696df14ba2f0
Instruction ID: 12bdc317ca000cc904bfbdfc53da5c157af4788ffe7f07280fb0dabfa9a6e6a3
Opcode Fuzzy Hash: bc0863f73882664f0a8a22357078b1acadfdb3ce3b770bbf1438696df14ba2f0
Instruction Fuzzy Hash: 0931E535A20117EFDB44DF94C880BA9B7B6FF88300F148269ED059B291DB75DC49CB91

Function 06220A01 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

(bq, xrefs: 06220AD9

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d5a381c6e429dd16f1ec66579aac79488c4fa33fdfd36a081a136b1fbd92596e
Instruction ID: 27c4cb66b45217cb919ce8cc060527f1204e10cea26742e7687b9ca951cfd2bd
Opcode Fuzzy Hash: d5a381c6e429dd16f1ec66579aac79488c4fa33fdfd36a081a136b1fbd92596e
Instruction Fuzzy Hash: DC314931F101259FCB599B79C4586AE7FF2EF89710F144469E906EB390CE758C06CB91

Function 06227E4B Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06227ECD

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 2188b2a48eabb4c81db8fe03f836df7ee8db5b3dc4e656f56ed9b60b8c8ee9f2
Instruction ID: f54b132feedae0b30024ba5b7c7283d6b8b674a94d2aa492a4a0d9d06d665af2
Opcode Fuzzy Hash: 2188b2a48eabb4c81db8fe03f836df7ee8db5b3dc4e656f56ed9b60b8c8ee9f2
Instruction Fuzzy Hash: 9B312531B442119FC748DF3CC464A2E7BE7AFC9320B1544AAE849DB3A9CE35DC428790

Function 062297E9 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

$^q, xrefs: 0622985F

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 83070d0b029f290c7f2676e282b121c863187ae0243c6370a1cbe4f06d1131a3
Instruction ID: d23551a02527ac777b4534373b906edc92c0c4bf74784ea34ee7e3be232ef2f5
Opcode Fuzzy Hash: 83070d0b029f290c7f2676e282b121c863187ae0243c6370a1cbe4f06d1131a3
Instruction Fuzzy Hash: E0319334F30122AFDB949F2AC454A6977F9AF49A50F1540A9E805DB3B1CE62DC40CB91

Function 06227E70 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06227ECD

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 107df326f0694010be205f4c02dec53062e14e1263200d4d3f239f1a3051df0d
Instruction ID: 881999fceea18238e16791e199ac98cc704b643abe48dd36a940d7fac7721f3e
Opcode Fuzzy Hash: 107df326f0694010be205f4c02dec53062e14e1263200d4d3f239f1a3051df0d
Instruction Fuzzy Hash: A7219F31B542259FC748DB2DC494A2E77EBAFCC7607118469A80ADB368CE35DC428790

Function 06227978 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

,bq, xrefs: 06227990

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 4351a025f6e64822e3a375d516b97ca28bee63bab4b5bac60a58a3a6ee33fca0
Instruction ID: 0194224f2746722df0faff4a5f030d3494ccb1f08514d3bd82bbb043e41d48b5
Opcode Fuzzy Hash: 4351a025f6e64822e3a375d516b97ca28bee63bab4b5bac60a58a3a6ee33fca0
Instruction Fuzzy Hash: 5021F171B141169FCB44AB6ED85046FFBEAEFC5250710812BE909DB399CE30DD0687A1

Function 0622979F Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

$^q, xrefs: 0622985F

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: f9383597d9bb8e47c3acca6dfff0b316463e7721eb3c51ce78d860d5813edab0
Instruction ID: 66d1867b23d0657c468d92cc4f09b8f8c9201b337b8c8bc483e486a7571dd5ec
Opcode Fuzzy Hash: f9383597d9bb8e47c3acca6dfff0b316463e7721eb3c51ce78d860d5813edab0
Instruction Fuzzy Hash: 40216771F701239FDB949F2AC454A6973F5AF48B50F1940A9E905DF3B1CAA1DC81C741

Function 0622A300 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0622A396

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: bc8f57bcf1a23d85e016f4ee7816fd556771ea41bbb3db125ec7efaab4a3be5f
Instruction ID: df5329efd600bea6ef565151ab85c24bbee0b3285c645d11b259f25b4a075f9e
Opcode Fuzzy Hash: bc8f57bcf1a23d85e016f4ee7816fd556771ea41bbb3db125ec7efaab4a3be5f
Instruction Fuzzy Hash: 17217131B5011A9FCB54DBAAD8586AEBBEAFF8C311F104029E912E7250DF75AD04CB90

Function 0622D938 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

j{>, xrefs: 0622D962

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: j{>
API String ID: 0-2355871145
Opcode ID: 934c45386ac39d0ea3ba831796699a446999b0e13537533bd06741f88a8e5c64
Instruction ID: 304e353ffae59574a22996193f5479fb3dac211c24a0ea821d2ed2e58c74120a
Opcode Fuzzy Hash: 934c45386ac39d0ea3ba831796699a446999b0e13537533bd06741f88a8e5c64
Instruction Fuzzy Hash: 13217A71D11259EFCB20CFA8D558B9DBBF1EF48314F20842AE805A7340CB79A845CF94

Function 06227968 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

,bq, xrefs: 06227990

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 037cd86b8a183b69f300c632fcfc242c35e3a397a49463acba0d91fe722ad503
Instruction ID: fdbaa2e2319339c0935a61797ac6a92e9a56cf3441c12af2b47fcc5dd0a644a5
Opcode Fuzzy Hash: 037cd86b8a183b69f300c632fcfc242c35e3a397a49463acba0d91fe722ad503
Instruction Fuzzy Hash: 2001D175B0421A5FCB01DBADC84089FBBF9EF86210714806BE948DB355EA30DD1487B1

Function 06226170 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0344770f18f9253d5a9f0b8c1b20880eedebf1fb5012d483a0fd8041acd72e
Instruction ID: 102f3cfbd9414cc582e08b3cc8ce5b1537be3597c3fb536344a9d42161e4b10c
Opcode Fuzzy Hash: db0344770f18f9253d5a9f0b8c1b20880eedebf1fb5012d483a0fd8041acd72e
Instruction Fuzzy Hash: A6B15132734622EFDB645B68D4A462E77F6FB84701B248819EC4387795CFB5E881C781

Function 06228A78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b10b43b498acb97322f3f63407ecf63f7322edd8812b50666b94b5e82aa096
Instruction ID: b3b78090b99e5a9cbd8b199653df97893eb53fe459a8daaa7fdcfef19b13991d
Opcode Fuzzy Hash: 80b10b43b498acb97322f3f63407ecf63f7322edd8812b50666b94b5e82aa096
Instruction Fuzzy Hash: ED918630734622AFD7945B38D45463E77F2EB85701B10881AE803CB695DFBCDC4A8B85

Function 06222ACA Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba1ebdc62814945698ff727005c4fc4fae16a371f172cb6b14ec82167f6c8e7
Instruction ID: b974d04ae21327fe881a747b7c48d674e620a1660c1e3ad4099107c3a6b461cd
Opcode Fuzzy Hash: 2ba1ebdc62814945698ff727005c4fc4fae16a371f172cb6b14ec82167f6c8e7
Instruction Fuzzy Hash: 60A14834B1021ADFCB449FA4D895AAE7BB6EF88350F104428E806DB395DF75DD46CBA0

Function 0622CA35 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdff30fd9610e86780e6666ffd31bd207c3db4db0cad9c8ddd8fb9d0b3b5362d
Instruction ID: 53f806c87b809ddb8ccf7c3849c9874d0a298aa474be74353d11acb04349be0b
Opcode Fuzzy Hash: fdff30fd9610e86780e6666ffd31bd207c3db4db0cad9c8ddd8fb9d0b3b5362d
Instruction Fuzzy Hash: 02A12A71605741AFC396EB34C95048AFBB1EF813043558A6EC48A8F766EB71F90ACBC1

Function 06226AAF Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095a36a2593b1eac198e2f7bb9dbd474804563b914eff26f1598c304f9d51c5e
Instruction ID: c2cb5cffafd9e1922b947e4234ae48e034fc84e8b979472f10d78179f7032984
Opcode Fuzzy Hash: 095a36a2593b1eac198e2f7bb9dbd474804563b914eff26f1598c304f9d51c5e
Instruction Fuzzy Hash: CF812E35B102299FCB949F74D8557AD7BB6FB88300F1085A9E90AEB381DE349D818B91

Function 0622F018 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d55bc97806755ee39cb361744993dba76a4a0790f5a4b10f12baf9ee59e443b
Instruction ID: fb387e854b728e11eecfa42ea41a8bd1fa20067ac981fcaa7ddd1fe230d4189b
Opcode Fuzzy Hash: 9d55bc97806755ee39cb361744993dba76a4a0790f5a4b10f12baf9ee59e443b
Instruction Fuzzy Hash: 92713774E0031ADFDB15DFB5D9585ADBBB2BF88300F148129E906AB354DB749942CF41

Function 06226161 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb1601530d3517f76476bf867d4ead85c8fb8010895253fddf3d21586a314b3
Instruction ID: e1e47fb0fe066416f03cf398a3bba3e2e123764b83825cede3daa1b3d1ec1774
Opcode Fuzzy Hash: 6cb1601530d3517f76476bf867d4ead85c8fb8010895253fddf3d21586a314b3
Instruction Fuzzy Hash: 5D618131724722DFD7649B64D49462EB7F2FB84701B10881AEC8787756CBB5EC81CB91

Function 0622CAD8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749f5175d67cb1d3ef451e64547b4347c0a5175c117ede57b9fe2ab779fa4ce3
Instruction ID: 6b2aeff5536fa50835b9c75245bbcd411b9d86df79daa5291a4cb78e61011d3a
Opcode Fuzzy Hash: 749f5175d67cb1d3ef451e64547b4347c0a5175c117ede57b9fe2ab779fa4ce3
Instruction Fuzzy Hash: A271D671600601AFC396EB24C55059BFBE2EF84304354DA2EC54A9FB65EF71F94A8BC1

Function 06225C70 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf47f8e7ee4560a461fd3ec60a771d22a9184b590c3fc97270530a28ef529958
Instruction ID: de951d9ab09828425d535c6c6fca4a6010740bb0175c3edde77b0cf90e1be7d7
Opcode Fuzzy Hash: cf47f8e7ee4560a461fd3ec60a771d22a9184b590c3fc97270530a28ef529958
Instruction Fuzzy Hash: F951837171011AAFDB50DFA5D884AAFBBB9FF88310F148025EA16E7250DB31ED55CBA0

Function 06221728 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67105e25bfb67b674ac9bf5d82b08648e037ca6eca663a98414305e6d062d3f
Instruction ID: 312a91b7c1f3baf7e2c93f031d7d0fff30ce6312b620de407dac3c2c242439d8
Opcode Fuzzy Hash: b67105e25bfb67b674ac9bf5d82b08648e037ca6eca663a98414305e6d062d3f
Instruction Fuzzy Hash: 8A515835B201259FDB48DF68D888D6DB7B5FF89B5071140AAEA06DB361CB70EC14CB80

Function 0622ED28 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807007aa1a02fcde2cf6b9b4ae8c53b05f11afa43b78bb05933b9305ce7aa8e4
Instruction ID: fa4cd86dd28a888a1da5af5bc3fd9e55e7914bce64356bdd7e30125a3eae9e3c
Opcode Fuzzy Hash: 807007aa1a02fcde2cf6b9b4ae8c53b05f11afa43b78bb05933b9305ce7aa8e4
Instruction Fuzzy Hash: 3861C830E24363ABEB50DFB2E8587AD7BB5AF44305F050858DCD09A284EB7DD845DB51

Function 06228A8A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f632d7f193a9b9496547b51813b882dad207a4b5ea9168a33c6b0de242d733c2
Instruction ID: 08217a5d57ea9661f76b2c3bc6e38354b46394c811db7a4d3475c14b19a6581d
Opcode Fuzzy Hash: f632d7f193a9b9496547b51813b882dad207a4b5ea9168a33c6b0de242d733c2
Instruction Fuzzy Hash: DD5161307246229FD7549B28D49462EB7F2FB84701B50881AE847CB795DFBCEC4ACB85

Function 0622AB48 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2528ea3b53aa9a99367d2b909d9e7118beeff5759991f8f2642b362191fb912a
Instruction ID: da3e34fa0e4a57157dbeccdd123f4b05fe0aeaf6c7d92fcee1a58521d7216231
Opcode Fuzzy Hash: 2528ea3b53aa9a99367d2b909d9e7118beeff5759991f8f2642b362191fb912a
Instruction Fuzzy Hash: 6451CF357241669FC748CF38C858A6A7BB6EF89B1171545AAF806CB7B1DB70CC42CB90

Function 0622CDC7 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c67a726a9b77c4915288bd5b574b6d2be94abb5ee988bcfbc448f294d83e12
Instruction ID: da69e242b056fa041616de69b1cfbebe93b9fca82b6302ae583af05aaf81a062
Opcode Fuzzy Hash: b3c67a726a9b77c4915288bd5b574b6d2be94abb5ee988bcfbc448f294d83e12
Instruction Fuzzy Hash: 415115716006019FC39AEF38D95159AFBE2EF843043148A6EC54B8B765EB71E94B8BC1

Function 06221918 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a97eba58560e5bd0fc3b233dd66883ab9ed6ceb6d4b4050ff724e2b39b8b6e
Instruction ID: a332ba94c370927d2809a99add9807c82b8627f712518d84e08f003812f6de75
Opcode Fuzzy Hash: 67a97eba58560e5bd0fc3b233dd66883ab9ed6ceb6d4b4050ff724e2b39b8b6e
Instruction Fuzzy Hash: F951A130720212DFD7549FA5D459B2E7BB2EB84700F20C469EA469B285DF74E895CB81

Function 0622A520 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a6eeb558c2012941a6099463ab2104e8f515b42a82dcf259ba8b06d83ab3e7
Instruction ID: 7d253448d0b4f12b87c23e16bc9b18a477bf01f58758ff8f71e06e428856ef6e
Opcode Fuzzy Hash: 63a6eeb558c2012941a6099463ab2104e8f515b42a82dcf259ba8b06d83ab3e7
Instruction Fuzzy Hash: 37414F30B002169FCB44DF69C888A6EBBF6FF89300F148569E5169B3A5DB74ED45CB90

Function 0622FA88 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdad97d13c8de59200f650f58d2e9737aa83041e4a8ee673ce9e9f5cbdcb0e0c
Instruction ID: 1161d371b26f64aaa373af1bbdf4ab91dac485eae33d6353dd3964fb85491e0f
Opcode Fuzzy Hash: bdad97d13c8de59200f650f58d2e9737aa83041e4a8ee673ce9e9f5cbdcb0e0c
Instruction Fuzzy Hash: EB416B30B50757AFCB84EF3AD99096EB7B6FF883107108529D816C7255EB74E841CB90

Function 06224E01 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f543624c770f5a714bd340d0180952094004ce9bda0a3755d834de8a8fe6138
Instruction ID: 57abc219531826414d1605772da4079f8016f72775aee8d090b0693434a49d59
Opcode Fuzzy Hash: 2f543624c770f5a714bd340d0180952094004ce9bda0a3755d834de8a8fe6138
Instruction Fuzzy Hash: 8D515D3592021AEFDB65DFA4D885ADEBBB2FF48301F208519F802A7261CB719C55CF50

Function 06225405 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953f46d59c6bce7f61bfb55890c25f15e5bd8bdef63c94d0c290f96dff9beb7c
Instruction ID: ff602204229757b9a41908160cf16058b433d5040ff3a959cad9d2677ad1b361
Opcode Fuzzy Hash: 953f46d59c6bce7f61bfb55890c25f15e5bd8bdef63c94d0c290f96dff9beb7c
Instruction Fuzzy Hash: 8D51DA75A2011AEFDB54DFA0D948EAEBBB2FF48311F218158F905A7261CB719815CF60

Function 06221B28 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4d78f4b8f233fce68e2002e69899c88f7d8bed2464f35c53ebcd0aa8f348e4
Instruction ID: 04d667a00c958883138998ac9d6b429cc2a224b94dbede64fb332f9a837cf2d7
Opcode Fuzzy Hash: be4d78f4b8f233fce68e2002e69899c88f7d8bed2464f35c53ebcd0aa8f348e4
Instruction Fuzzy Hash: 42415134734722AFD7648B58C448F6AB7B6EB84705F11841AEE4387785CBF5E8928B81

Function 0622AA18 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12396fa0e0e167c0f7dd234c3a195b6343c72112fc6029fe5aac79e16db13d4a
Instruction ID: 3612ddd276648b8726fec2eaa5ffd3d992bb2a66a6b1af7e8d451060ee4b834a
Opcode Fuzzy Hash: 12396fa0e0e167c0f7dd234c3a195b6343c72112fc6029fe5aac79e16db13d4a
Instruction Fuzzy Hash: 5941D2313106258FC764CF2AD984A6ABBF6FF88315B04846AE646CB775CB75EC84CB50

Function 062256E0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8652338eb8c92b6ac34184a519479d8d198e9835669b00798e0495d1548bc6f1
Instruction ID: d43833ea30c9acaa5e74cbd375f81ea73e4edc5625be432cbdd4755315ff3079
Opcode Fuzzy Hash: 8652338eb8c92b6ac34184a519479d8d198e9835669b00798e0495d1548bc6f1
Instruction Fuzzy Hash: AC41B331A64257DFDB44CB28D8947EDBFF1AF89300F08C1A9D905FB292C6B59984CB61

Function 06221019 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d600bc09753a70d9e1e1adbbf79e22ab3f4b986e297e020a15e76443da6d303
Instruction ID: 247f9f1f8d5f3a2f383fc34f43ac77682d2937ae45b3e8ef36f1332ff88460c5
Opcode Fuzzy Hash: 0d600bc09753a70d9e1e1adbbf79e22ab3f4b986e297e020a15e76443da6d303
Instruction Fuzzy Hash: 1F410B75E20618DFCB05EFA8D8889ADBBB5FF4D310F10416AE605EB260EB31A955CB50

Function 0622A51F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea0d1fa17147eb40af4eec2f52f08f91d99bd5a45f80a8dfb47b9839f922962
Instruction ID: a9586dc3329b7c222f9cebc018312a766ab1abe04538453dd0c5ccdec21bdc70
Opcode Fuzzy Hash: 2ea0d1fa17147eb40af4eec2f52f08f91d99bd5a45f80a8dfb47b9839f922962
Instruction Fuzzy Hash: 9E413F30B102169FCB44DF69D888A6EBBB2FF88300F148569E5169B375DB74ED45CB90

Function 06226888 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29002f2f16f63da89eb8441098501fec38cfd8b2e2c6e3cbb8cdf94ab616958d
Instruction ID: ef3b9dff1604cffe319121baf6f1d45f5299f76a6833791410f052b6eb8ec22f
Opcode Fuzzy Hash: 29002f2f16f63da89eb8441098501fec38cfd8b2e2c6e3cbb8cdf94ab616958d
Instruction Fuzzy Hash: FA319231920635DBCB689F24C8896AD7BB6EF48311F108C59E887E7250DE359DC9CB90

Function 06226898 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8d06df837a86e96aae0b84e3111b4d4ba2cf3294634d05aa59a962be141e29
Instruction ID: e94cb053abc2af7e642f2e8bd5be3201c0ea2b35aa01e83e5760450500b0811b
Opcode Fuzzy Hash: df8d06df837a86e96aae0b84e3111b4d4ba2cf3294634d05aa59a962be141e29
Instruction Fuzzy Hash: 95319231920235DBCB689F24D8896AD7BB6EF48311F108C69F847E7250DE799DC8CB90

Function 0622F003 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3289bc0155dd3a3889cb1f8cc45c1775205998d4be3e2ef9e70bb43f6a87abab
Instruction ID: 00bc97c307d4cfdad3252fb6e056aa84063ba552fc9ac02a14a46f3e19688973
Opcode Fuzzy Hash: 3289bc0155dd3a3889cb1f8cc45c1775205998d4be3e2ef9e70bb43f6a87abab
Instruction Fuzzy Hash: 6731CD38A003198FDB19DF71D5582EDBBB2BF89210F188829D846EB394DF349942CF52

Function 06221917 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271f6b0cc05318dbf8e87edb68fb218d766f99e01935c9440deebd84ea9c740b
Instruction ID: e73d44014e796f38596456ac2fce8b9589fe7af7008d68021cd78ac8d059fc65
Opcode Fuzzy Hash: 271f6b0cc05318dbf8e87edb68fb218d766f99e01935c9440deebd84ea9c740b
Instruction Fuzzy Hash: AE31C430B20212EFE7549FB5D459B2A7BB2AB40700F14C429EA43DB681CF74D8A4CB91

Function 06226668 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1ef68b9aa446bc50ddff993fbf82d7807aead1c987c22d7325162896f1eaea
Instruction ID: 69c920834e59823e300c8e5daf1f8548a71f74b57623906b0b096af176c5e870
Opcode Fuzzy Hash: fd1ef68b9aa446bc50ddff993fbf82d7807aead1c987c22d7325162896f1eaea
Instruction Fuzzy Hash: D82167323283225FC711479EA84467ABBE9EFC031171480BFF54AC7552DF75984187E0

Function 0622F520 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221d343f9d4bebb43171c2746b5665bff3b217fdd0164099cf7fa485a6e11dc5
Instruction ID: 6384f0ff75e688b1fc820a89f9f9aacb8536ab4ed478252340894f67f702dbe5
Opcode Fuzzy Hash: 221d343f9d4bebb43171c2746b5665bff3b217fdd0164099cf7fa485a6e11dc5
Instruction Fuzzy Hash: 3431C470E60227ABDB21DF65C2446AEB7F5AF44710F148529DC16BB354CB74AC94CBD0

Function 06226728 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b185d65719d781934ea8da48c18e4f389c66aac3534462df918299ffabc241ac
Instruction ID: bbba29d9294acfeb6b1a04aa95007a6f2ba082a7ad67c58c514bb5b8f4e59782
Opcode Fuzzy Hash: b185d65719d781934ea8da48c18e4f389c66aac3534462df918299ffabc241ac
Instruction Fuzzy Hash: A7213833A342B3ABDBB46A6DF8942BDB795EF86750B01043BDC55CB181D9298C4187D2

Function 062230C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5698af57aaf3636ec10443faf5aa9c55995fc188fbaa70af69be64b520ab56d9
Instruction ID: 11e55330c5d3c9c0d7ee4ae74102c6b0d860e8301c61c2f0372c2fbd6cd76e4f
Opcode Fuzzy Hash: 5698af57aaf3636ec10443faf5aa9c55995fc188fbaa70af69be64b520ab56d9
Instruction Fuzzy Hash: A6217F75720722AFC724CF59C88492AB7F6FF88704715C61AE90687761DB75E881CB90

Function 06221410 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fe1b2dbb8a3d12cd33742c2c9c0599e21b1dd666a82a100c1e289e9dc8342f
Instruction ID: 80cabd69b6b5211817fa7ff61bc3b3ba69e272ec3f8673e9bb3dfb0ed18bc707
Opcode Fuzzy Hash: 56fe1b2dbb8a3d12cd33742c2c9c0599e21b1dd666a82a100c1e289e9dc8342f
Instruction Fuzzy Hash: AD21C431E543529FDB61CF688884BEEBBF0BF49710F1800AAD944EB281E7758951C790

Function 0622F511 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfeff6293f0611ebbb2db097dc86d806a19f0f4f521633526f4a25880a26e24
Instruction ID: 55cd18abdf0a33f6bf68857c60b7e8000fea5f63e5d5a1897a6dfcdd2ccd4e98
Opcode Fuzzy Hash: 9dfeff6293f0611ebbb2db097dc86d806a19f0f4f521633526f4a25880a26e24
Instruction Fuzzy Hash: E321E470E60226ABDB20DF69D2806EEBBF5EF48310F108529D816B7314DB70A894CBD0

Function 00E9D1CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4d86edae926472d0ab00eebdf732597f309df95a98bab1ca6951d8c6a73aa3
Instruction ID: 52d48ed2a5f136b5142592569d32abe4c0cc05c291213fef59eac115ba534125
Opcode Fuzzy Hash: fb4d86edae926472d0ab00eebdf732597f309df95a98bab1ca6951d8c6a73aa3
Instruction Fuzzy Hash: 102104B5508304EFDF04DF54D9C0B26BBA5FB94718F20C56DD8095B2A6C336D846CA61

Function 00E9E700 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e124fc64de91cfa623f15b9bd1ab7a3f5f6f2213adeae16a356712e30e693f
Instruction ID: 6b062ca35961602bdb6558a2baec7894c74953374f67635faa7158c76d8d31c9
Opcode Fuzzy Hash: 78e124fc64de91cfa623f15b9bd1ab7a3f5f6f2213adeae16a356712e30e693f
Instruction Fuzzy Hash: 5D213475504200EFCF00DF54D9C0B26BBA5FB98318F20C66EEA096B392C336D846CA62

Function 00E9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36e5ff35c1705a6010cfc53a8e7c828599ee39152553cffc46c5bf3bc31e423
Instruction ID: 1811759c4c754f208fe579b2e5317518ad111350d7f18f75c8f6e011f25b593a
Opcode Fuzzy Hash: f36e5ff35c1705a6010cfc53a8e7c828599ee39152553cffc46c5bf3bc31e423
Instruction Fuzzy Hash: 0E213571508200DFCF10DF14DDC4B2ABBA6FB84328F20C669E8495B381C37AD847CAA2

Function 0622E711 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029797975b0c0e1338551e8ce2e9451d9f819d56bf115be5fe88b9195a5f1094
Instruction ID: f72f9be5b8f850473c49c4c79682bbdacdaa0d3a6a7efbd549d945939fe9a55d
Opcode Fuzzy Hash: 029797975b0c0e1338551e8ce2e9451d9f819d56bf115be5fe88b9195a5f1094
Instruction Fuzzy Hash: 1A11AB20E102155FD750AFBEA8016AFBFFADFC5611F100465E6C8EB341DA62991187E0

Function 00E9FEFC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67201af8c39e2dc0d345fec7a78cce4fcb34f2566bda2be70289f937efe2edfd
Instruction ID: 5db49fc105ff1b617ed29f09b2a463f9548c23dacc63d5d4218a911cfd563fa5
Opcode Fuzzy Hash: 67201af8c39e2dc0d345fec7a78cce4fcb34f2566bda2be70289f937efe2edfd
Instruction Fuzzy Hash: 8921D171604240DFDF04DF14D684B26BBA5EB95718F24C57DE8099B395C336D846C661

Function 00E9E3B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3c3d1424a88ee952010bb780ef9955596713b8e59f13c8f60f3ca83cafbb09
Instruction ID: 305515f65f937c6ab74f53b8b2f55db8d899d6c043705852a7ed8e69bdddcbfa
Opcode Fuzzy Hash: 2d3c3d1424a88ee952010bb780ef9955596713b8e59f13c8f60f3ca83cafbb09
Instruction Fuzzy Hash: 9321F3B1604340DFDF04DF24DAC4B2ABBA5FB94718F20C56DDA495B351C736D846C6A2

Function 00E9E7E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946bbae5e47f51d3d7206e57d9feb0bc687d17e766d65265b4282717bafecdf0
Instruction ID: 8bab1fce66eba96c33590594af27a9e160cff4d87f191f57be3deb0b9624de02
Opcode Fuzzy Hash: 946bbae5e47f51d3d7206e57d9feb0bc687d17e766d65265b4282717bafecdf0
Instruction Fuzzy Hash: 532157B1604240DFDF28DF54D5C4B26BBA4EB94318F38C67DDA0A5B351C33AD846C6A1

Function 00E9F8F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c12e6bb97680fada62ce167ccbde5f1c0e13a0fd11a289d247ab13d5a85893c
Instruction ID: 03ee749a58f465d79786a94603c675e41653115185b4f70e64d4a1b627ae921a
Opcode Fuzzy Hash: 5c12e6bb97680fada62ce167ccbde5f1c0e13a0fd11a289d247ab13d5a85893c
Instruction Fuzzy Hash: F121F0B1604340AFDB04EF64D5C4B26BBA5EB94318F20C67DD94A9B391C33AD846C6A1

Function 00E9F5B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b83c544d930ca1692eb4aae243cdb6891a54a72902d1be89468b96382b4880
Instruction ID: 9081675c0152c4e0708a45d7da1bec9df0d4c37ba4460b89e3be63e01fddb2a2
Opcode Fuzzy Hash: d0b83c544d930ca1692eb4aae243cdb6891a54a72902d1be89468b96382b4880
Instruction Fuzzy Hash: FC21C6B1544340DFDF04DF24D5C4B26BBA5EB94718F20C57DD90A9B262C736D846C6A1

Function 00E9F688 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b66c74e44519a6e62d52b5e1badec39204532dff89ecb52300b9b0ea94e5c4
Instruction ID: 1c1c264b46bc465a7f0ab7c0e01542e9a550b17173fe281300d809ecfedbf2ce
Opcode Fuzzy Hash: 05b66c74e44519a6e62d52b5e1badec39204532dff89ecb52300b9b0ea94e5c4
Instruction Fuzzy Hash: 7B2123B56043409FDF04DF24D5C0B26BBA5EB94318F20C67ED80A9B352C73AD846C6A1

Function 00E9DF98 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c486669de06f898c719bffd11c0be938e30df46943e9585e86c032ce23b3cf
Instruction ID: 6897935f19a754e79d353c28631dba72f1b23406df005d914515739b4e097b1a
Opcode Fuzzy Hash: b4c486669de06f898c719bffd11c0be938e30df46943e9585e86c032ce23b3cf
Instruction Fuzzy Hash: C6216AB1604200DFDF14DF24D9C4B2ABBA5FB94318F30C56DDA0A5B351C37AD846C661

Function 00E9EE68 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3132a05984666431e9f37b928e04c5ef5159d17ef84f96a3138ba3c395f7679b
Instruction ID: 0269ce9d1e26810bbf2e0c1fccaff1a060266f48dc1501a45dc677ef158d5f96
Opcode Fuzzy Hash: 3132a05984666431e9f37b928e04c5ef5159d17ef84f96a3138ba3c395f7679b
Instruction Fuzzy Hash: 732127B1644244DFDF04DF14D5C4B26BBA5EB94318F30C66DDA0A5B391C33ADC46C6A1

Function 0622CA30 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10dfb6db061ed603f6ff8b4f7a847b0af1046f296bf575b13d3c9ec6e863c66f
Instruction ID: 51c31586b60293455157b8b6017da573800d6c5fab201ac34c1ef63bef25c9b5
Opcode Fuzzy Hash: 10dfb6db061ed603f6ff8b4f7a847b0af1046f296bf575b13d3c9ec6e863c66f
Instruction Fuzzy Hash: 1B21FF71E1426AAFDB14DB75C9407EEBBF1AF48300F148829D802F7255CB749940CBA0

Function 06222966 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a056f558f1280044a5d6ec191ad6daf5926cf034cddf5f3c41373d1460ae41c
Instruction ID: f4ea18d7993b308ccce386fa46a2461675e448ce5b32caa6ccdfc3b8dd3ab3b0
Opcode Fuzzy Hash: 0a056f558f1280044a5d6ec191ad6daf5926cf034cddf5f3c41373d1460ae41c
Instruction Fuzzy Hash: 3C211A30A1111AEFDF55DF95D8449AE7BB2BB88340F208025F901A7260DB32DA61DBA0

Function 06226B43 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bedcd50fc9b0817cc84217a4eafd60ee485345358f1dd3b6500c6649bf9cd02
Instruction ID: 9d9f6bc6f1ce802f1f024ae924652f44931b6a041a206f80ae7bb6d77bbb9933
Opcode Fuzzy Hash: 5bedcd50fc9b0817cc84217a4eafd60ee485345358f1dd3b6500c6649bf9cd02
Instruction Fuzzy Hash: 58114F35E101289FCB94DFB8D8956ADBBB6FF88310F248569E90AE3341DE345D858B90

Function 06225C61 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1d948f284af0185552a087a5c79d18171ec41ac66e968c6c51e53e238fbce2
Instruction ID: 467cc28fb88a276192b57b67c8725db32084e3785b6032e75b1533a0be98d25e
Opcode Fuzzy Hash: dc1d948f284af0185552a087a5c79d18171ec41ac66e968c6c51e53e238fbce2
Instruction Fuzzy Hash: 3E115E73A0415EABDF11CE94DC94EEBBBBDEF48210F084067E645E3141EA35D515CBA1

Function 0622DD81 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e41c1f70e248183bcf415574d7c4ce9a67ca32fd6a80cfe95b922ba3565c52e
Instruction ID: 4302ef597827a736615edfcead5d6a07118b6ff0902aec35f3e7b0d6b5e1022f
Opcode Fuzzy Hash: 1e41c1f70e248183bcf415574d7c4ce9a67ca32fd6a80cfe95b922ba3565c52e
Instruction Fuzzy Hash: 8911EE70E0426A9FDB24DB79C5406EEFBF2AF89300F148869D842AB255CB719944CBA0

Function 00E9E6FB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 25abdc3535a3384163361cec1bfd49cb2dba0a058caa7f9312a0c804aec5359d
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: AB11D075504240DFDB01CF50D5C4B15BF62FB84318F24C6AADD495B756C33AD84ACB52

Function 00E9D1C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: eab64670b860eec08ffe2288eed0f50edc1cc6a671f87f176316a218925a3f07
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5D11DD75508380DFDB01CF50D9C4B15BFA1FB84318F24C6AAD8094B2A6C33AD80ACB61

Function 00E9D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: f3b363651db60e49dd0d1f363ce371323ada950978638a6db5c3992dc9d5f90e
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: 6411B275508280CFDF11CF14D9C4B16FF62FB94328F24C6AAD8495B656C33AD84ACBA2

Function 0622B638 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36e579cd3db25190d8f0b70d2b5794784b90a6585d00970facfd97b569aadf0
Instruction ID: f31647ba4b37442c08390359b4ff0dfeda7acfe7f139e7d5ab2c047aa60e8ea1
Opcode Fuzzy Hash: f36e579cd3db25190d8f0b70d2b5794784b90a6585d00970facfd97b569aadf0
Instruction Fuzzy Hash: F51148706506228FC758DF29D484D56BBF1FF84318B1085A9E6068B771DB32FC85CB80

Function 00E9FEF7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
Instruction ID: 13ca863b86dfde85963febaf3942045cd4182c1909115bdaf1f2022073dcdf7c
Opcode Fuzzy Hash: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
Instruction Fuzzy Hash: A911BF75604280DFDB05CF14D5C4B15BFA1FB95318F24C6AED8498B652C33AD84ACB51

Function 00E9E3B3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
Instruction ID: ff47461ad83cc00890856e46c90b0fdd8e152a9af0668d6e1ffba2e557bd4be8
Opcode Fuzzy Hash: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
Instruction Fuzzy Hash: 0611BC75504280DFDB05CF14D6C4B19BBA2FB94318F24C6AED9494B752C33AD80ACB92

Function 00E9F8F3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: ab025ca2fe2f33cd565c43dec208d7e52261b936891261c46dd317aecb4b871d
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: AB11CEB55042809FDB05CF24D5C4B15BBA1FB94318F24C6BDC8498B792C33A984ACB92

Function 00E9F5B3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 9a78ccef1532e7b6d45d36043d03ecb4f988f6661769a3da9138867093be463f
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: 5911CE755043808FDB05DF24D5C4B15BBA1FB94318F24C6BEC84A8B662C33A984ACB92

Function 00E9F683 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 39c43602cc79e7e4ebe3c14007cc4e8e040bd32d31a76646105fe545af12b9e7
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: 53119E755046808FDB15DF64D5C4B25BBB2FB54318F24C6AEC8498B752C33AD84ACB92

Function 00E9EE63 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3554688488.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e9d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 198416cbfac843a5167caab5dbe6a5ff544dfdea4155de5024380832757dfc94
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: EA11E0B5604280CFDB15DF14D5C4B25BBA1FB94318F24C6AED9494B752C33AD84ACB92

Function 0622C5D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a25fe5d325b7bd79e42b6134336fa74517d32f249c7f61dc0a45b6104d3b62
Instruction ID: 892ab3fba043b052314e90627d61b7441ccb3cb2433397fe0b32e2ee6c848fee
Opcode Fuzzy Hash: 01a25fe5d325b7bd79e42b6134336fa74517d32f249c7f61dc0a45b6104d3b62
Instruction Fuzzy Hash: 520128302162459FC305A724F958CBA7FB9EF82351B0544AEE0098B262CB24AD56CB92

Function 062227C0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec142f3933d6440946cc07efa84d884520ef28f23f6edda380ba9b1b660e313
Instruction ID: e01b9599c4d98eec96f7ce2e0537e3a1309798cbcb6a75646959418a810308dd
Opcode Fuzzy Hash: eec142f3933d6440946cc07efa84d884520ef28f23f6edda380ba9b1b660e313
Instruction Fuzzy Hash: DE014B31B11116DFCB589F69D4089AEBBA6EF88610B10816AE816D73A0DF719D16CBD0

Function 06220838 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86badc7f657634b9552afa91c9ebe7ff2bbe9ae1c9968f8a74f0a02325f58b96
Instruction ID: c6c22425c31a6fcc3d63c24d232ac81f5aaeebb5ba46e2418481f30b8a5c7b4c
Opcode Fuzzy Hash: 86badc7f657634b9552afa91c9ebe7ff2bbe9ae1c9968f8a74f0a02325f58b96
Instruction Fuzzy Hash: 4FF0FC72B592405FD389C719D454BBABFA5EBC9350B05406AE805C7360D7369D42C791

Function 06227899 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8533b123bdd3913bac9f3a2b57d572756ea936d668a25088be815c0f359441
Instruction ID: 3ba9f8960a50be6d908ad729ee437f32d43bfce22e020e506a682825067ae4ec
Opcode Fuzzy Hash: cd8533b123bdd3913bac9f3a2b57d572756ea936d668a25088be815c0f359441
Instruction Fuzzy Hash: 2F014430D00619DFCB50DFA8C8409AAFBF1FF08710B10C969D59AA7200E731AA12CFC1

Function 0622A940 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7226d10d421d43272a4d8c53716ad3a63bc4512b687413767c1a130b1154b3
Instruction ID: 836472aa09badf7d904540b1ef4dcde85db35e92b870fd7b271d7af4c7edacec
Opcode Fuzzy Hash: 3a7226d10d421d43272a4d8c53716ad3a63bc4512b687413767c1a130b1154b3
Instruction Fuzzy Hash: 6BF0F671B25226AFD3508A5AE840D6BBB6AEFC9B30B11801BF91697300CB719C11C7E0

Function 0622A081 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e5773bae038afc4158f71d33d41e0f1dc74d8451b9fd1f28fb0a683c35a42d
Instruction ID: 26ee40bfb06b6dfbb569fbf0dccf24a3408e948fd6efa8c5556e08de2fb146f2
Opcode Fuzzy Hash: d2e5773bae038afc4158f71d33d41e0f1dc74d8451b9fd1f28fb0a683c35a42d
Instruction Fuzzy Hash: 4DF0B4327142101FC254A6B9A89566FBBEBAFC8220B18482EE60BC3755CD719C0683E1

Function 0622E07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c648230ec280dbcc1289d6fd87eebd14a71fce91f838e45ade66782631d34cb0
Instruction ID: aa808d43a2325f192488ae3e4c42038f798a08d5f73776ab20948b4363fe91fd
Opcode Fuzzy Hash: c648230ec280dbcc1289d6fd87eebd14a71fce91f838e45ade66782631d34cb0
Instruction Fuzzy Hash: C5F049B17112159F8394DF2ED48081AFBE4FF8D320351596EE94ECB711C730E8408B94

Function 0622B310 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d2422f8a2bcdbff0f80df8da4cfe48b89d4151857a8c2b7e6d074cf62da18c
Instruction ID: aae550ec2cb2368283fac7ab98c1e7ca1033e5ad44e746817b8dcbf8d0256518
Opcode Fuzzy Hash: 07d2422f8a2bcdbff0f80df8da4cfe48b89d4151857a8c2b7e6d074cf62da18c
Instruction Fuzzy Hash: 89F0E2317006056FE3149AB7AC847BABBABEBC0221F54843AE50AC7691DEA09C0587A0

Function 06220848 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bf30e15f3d4efba6f2ad0bfd27c162565ba94873ca84e8b0e98252914c95ec
Instruction ID: 28e3637133e9db6bca79fb003f21c411dbf2b0867a16a19e34463b5daf54441a
Opcode Fuzzy Hash: 84bf30e15f3d4efba6f2ad0bfd27c162565ba94873ca84e8b0e98252914c95ec
Instruction Fuzzy Hash: 82F0BE75B14115AFD348CA0DD494B7BBBEAEB883A0B144029E809CB324CB72EC41C7A4

Function 0622C66A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0bd104cbdc1b066116b09ca9c60a485b46d74a9d070f8dea25275b02ae1fa1
Instruction ID: 0cd3b172782a3d8df788f01af39ab40a50eba028febac57b2b72cee7c413bf6f
Opcode Fuzzy Hash: 5c0bd104cbdc1b066116b09ca9c60a485b46d74a9d070f8dea25275b02ae1fa1
Instruction Fuzzy Hash: DFF0C2302051119FC711FB28FD819997BF1FF81302B0085A8E0498B62ACB35ED45CBC1

Function 06226659 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4566dbd86cf2498412af6548890d8d4cadb646943c7b6161f361dce2d12d3a03
Instruction ID: c64c2db9e445e507051dfd34fdd9c4a7ba43f85b284a846551a204050a5b9494
Opcode Fuzzy Hash: 4566dbd86cf2498412af6548890d8d4cadb646943c7b6161f361dce2d12d3a03
Instruction Fuzzy Hash: 7CF0E2722186219FC7168B99E8445AEBBF9EF89711325889FE48AD7642DB359C00C7E0

Function 0622089C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbc44b751b04dd3552b5ca19ebcc7a42e26869ffdd38720b5718a8ca6392ae0
Instruction ID: 0d77ce64af0b779f572f27729bf3ccb1cc5a640dfb67ab37287376cafb71ec33
Opcode Fuzzy Hash: 8dbc44b751b04dd3552b5ca19ebcc7a42e26869ffdd38720b5718a8ca6392ae0
Instruction Fuzzy Hash: A5F02EB2B5D1515FD3494318A4A437A7B51EB95341F0400ADC9468F175DB56D842C392

Function 0622A93F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0805befbf232201acecee7e8ca6afb4bacbb932c5257137111aa81efd52e61
Instruction ID: a1e2fbd3c33d9852208c2acb49885f19aa91475a6acce64cbca2afecc92d9049
Opcode Fuzzy Hash: ec0805befbf232201acecee7e8ca6afb4bacbb932c5257137111aa81efd52e61
Instruction Fuzzy Hash: 5CF0E971A25222AFD7508B56D840E6ABB69FF88B30B11811BF91997600CB719C10CBD0

Function 0622A4B0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02ad8f3bf0bfacf5ea9ae1933254cafb2a14538db1c7d51c79e1444939eb485
Instruction ID: d91be202ccd690dbe6e95f0aa9261145011106e71481afd1b80aaa7b8c524e92
Opcode Fuzzy Hash: f02ad8f3bf0bfacf5ea9ae1933254cafb2a14538db1c7d51c79e1444939eb485
Instruction Fuzzy Hash: 28E09233314065AB47149A8FE8C4CAABBADFBD92313504077F608C7620CA21DC45D7A0

Function 0622E100 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d100d1e830b5ea48910ef8d95c3173221b625eac39b227114f99eba5ba3b2606
Instruction ID: ffe169a3ef0a0f733569d1da1bbc37ed6b11aeb67bf0e607e547acb74e40819a
Opcode Fuzzy Hash: d100d1e830b5ea48910ef8d95c3173221b625eac39b227114f99eba5ba3b2606
Instruction Fuzzy Hash: 4BE022313702227BE200677E6998A7FAA9EEFC4760B051835F742DA218DD91EC444AE5

Function 062278A8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e864268ac25e16acd277111195338bf9735308bb55f3e893964793ab8a98606c
Instruction ID: 64575466e866deb98571b8eeba150c056e040925f2223138315220b70cd7f60e
Opcode Fuzzy Hash: e864268ac25e16acd277111195338bf9735308bb55f3e893964793ab8a98606c
Instruction Fuzzy Hash: 23011430D0021ADFCB40DFA8D841AAEBBF1FF48310F10C929D91AA7240E735AA52CF91

Function 0622B637 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafc9be85080f2fb73b645a0b70d037524f363732f6bfedbffb8748406e86bbf
Instruction ID: 7b470c7841c86be3ef57b35eaa19978f9651f1f97088b45a275c6a0758689020
Opcode Fuzzy Hash: eafc9be85080f2fb73b645a0b70d037524f363732f6bfedbffb8748406e86bbf
Instruction Fuzzy Hash: 95F01275250A228FC364CF28D588E22B7F0FF0831971149A9E6428BB71CB32FC84CB40

Function 06229E20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7164b8e0605be847e17e6bac62b8df7d5190b2f684d99adfb5b9ceeb8e843f
Instruction ID: 982bd4d63590b6c8ba6bbeb0a00ec39122b3f019c48a04e2609de265e7626002
Opcode Fuzzy Hash: 8a7164b8e0605be847e17e6bac62b8df7d5190b2f684d99adfb5b9ceeb8e843f
Instruction Fuzzy Hash: FCE026312203258FC724D62AD40495EBBB9FEC1390700483EE52687624DAB1FDC987C4

Function 0622DA48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6196c26fb570b264ba1acf22769c580e76b6d6d76ecdc07375bb5927c60c56d3
Instruction ID: 4c73cb8300d9f4b843651f41fe9af65cbcd252cd95247536b12f9ce0021d6484
Opcode Fuzzy Hash: 6196c26fb570b264ba1acf22769c580e76b6d6d76ecdc07375bb5927c60c56d3
Instruction Fuzzy Hash: 53E0927541E3A65AEB614290B2183643F65CF81218F1880A9DC494A592E6AF4986C782

Function 0622B6D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4e17ae0e0f155d7e1cd97c98a85a5dcb1eecfde1e6ccc457fac9a84ba38068
Instruction ID: 590e6ba846dcda98facca230a465974e940de9f24b6222cd2164e59437cd5a7f
Opcode Fuzzy Hash: 2a4e17ae0e0f155d7e1cd97c98a85a5dcb1eecfde1e6ccc457fac9a84ba38068
Instruction Fuzzy Hash: 60D05E357502206FC748A66EE819D6A3BEDEFCEB21B11007AFA09CB360DD61DC0187E4

Function 0622A298 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15ed617078f46c10510a0a36a75fdb4064df5d1062c1ebf1fba610a951ec822
Instruction ID: db946948fd0eab2da9b1e31c89964521727265bb3ac88d85d9f04eeecca5bad7
Opcode Fuzzy Hash: a15ed617078f46c10510a0a36a75fdb4064df5d1062c1ebf1fba610a951ec822
Instruction Fuzzy Hash: 7DD012357445145FC704566AE809D9A3FEDDFCEB217010069F50AC7361DE62DC058791

Function 0622B6D7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d244ad4ae361b6b05fa81ef6418eaea00847fc42ebf5d258293b2c6652877ccd
Instruction ID: 9d287e7609a7f84287dfc116e62927addfcf3c6691a9ba6d2a72827255c147a2
Opcode Fuzzy Hash: d244ad4ae361b6b05fa81ef6418eaea00847fc42ebf5d258293b2c6652877ccd
Instruction Fuzzy Hash: 22D05E3AB501205FC7489669E919E693B99AFCDB21B15006AF609DB760DD70CC018790

Function 0622A297 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384ff060393ab6b38092111baf26ab67cace11f9144ccf16ad8408efa934b7de
Instruction ID: e9eae33dc7c3109fd88578d71f8d0ea0230ba98c82cab9bde487a5f562a5c85a
Opcode Fuzzy Hash: 384ff060393ab6b38092111baf26ab67cace11f9144ccf16ad8408efa934b7de
Instruction Fuzzy Hash: 7FD05B357405109FC7045769E50DDA93BD9DFCDB227050066F50AD7361DE71DC058790

Function 06229E1F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928fdc64ca389c489bf7f4268265edf252c222cece4cead7ad8f17c5b5ebd60e
Instruction ID: 4be2b9e3bd1aed9a59744533a2bf6e32b5fc1b844009717e68149e9325b600fe
Opcode Fuzzy Hash: 928fdc64ca389c489bf7f4268265edf252c222cece4cead7ad8f17c5b5ebd60e
Instruction Fuzzy Hash: 07D02B326207204FC314C61DD600A6DF3A5FDC4350740493FD52A87A28E6B0F9C84180

Function 0622E720 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56594abfd37df4ba4bdec58abdef18bccfa830c4d36306531e13ba182cf8f551
Instruction ID: 6ce3f10e193087b8d3321bea51cd8420acddec339501bf66c976b80f8e4ee1bc
Opcode Fuzzy Hash: 56594abfd37df4ba4bdec58abdef18bccfa830c4d36306531e13ba182cf8f551
Instruction Fuzzy Hash: 12C08C342082088BE30177A6B40E2293BAAEB88A06F502010E24E9A686C959E8108FA0

Function 06228A2F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0df2acf1611dc7849e99e110ee5b97dcfc7d5d24c5b4b1f48c92b7150e4975d
Instruction ID: 9694083fabfce49117a836c6505e303fdaee320c6677c241e96b55cc157c62f7
Opcode Fuzzy Hash: e0df2acf1611dc7849e99e110ee5b97dcfc7d5d24c5b4b1f48c92b7150e4975d
Instruction Fuzzy Hash: 49C08CA22063500FCA821BA8B80218A3AD85B8A2213020483B001CB182E8288C8187A9

Function 0622A3D6 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462f806103f530d795e63e7cd30240698a3559f3884ee21002b46cc62c982ebf
Instruction ID: 2b82434b4f1932883ef8a0689fce144b4cf25ea3cd504a881f1a87e47af8b1b0
Opcode Fuzzy Hash: 462f806103f530d795e63e7cd30240698a3559f3884ee21002b46cc62c982ebf
Instruction Fuzzy Hash: 2BB09237A2401A99EB409A84B8413EDFB20F790225F104027C61062400C27201A887D1

Function 0622D10A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057f7e24e9729e63a04fc25df8d9db3efe245c99c016579b832fffa38c01fe51
Instruction ID: c0e0c1b7975cedd9f3161e00ba2f2c558c80688a483808a1ea5e660a33912867
Opcode Fuzzy Hash: 057f7e24e9729e63a04fc25df8d9db3efe245c99c016579b832fffa38c01fe51
Instruction Fuzzy Hash: 36B01201881081D6E20616105454180F7A0B8005063880BC498C088101E50C990A9311

Non-executed Functions

Function 06228848 Relevance: 11.4, Strings: 9, Instructions: 146COMMON

Download Yara Rule

Strings

4c^q, xrefs: 062288AF
4c^q, xrefs: 062288A5
$^q, xrefs: 062288F8
4c^q, xrefs: 062288C3
$^q, xrefs: 062289A2
$^q, xrefs: 062289AE
$&_q, xrefs: 06228911
$^q, xrefs: 062288EC
4c^q, xrefs: 0622888F

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: $&_q$4c^q$4c^q$4c^q$4c^q$$^q$$^q$$^q$$^q
API String ID: 0-1861782729
Opcode ID: fb4a8efb9da5a502262f409d4158e496239b39619596563ca75e74b473495939
Instruction ID: b5ed12e8dca753fdfc02be8c268fcba4545d5a02ec8d99b4ca1d1f9f412cc462
Opcode Fuzzy Hash: fb4a8efb9da5a502262f409d4158e496239b39619596563ca75e74b473495939
Instruction Fuzzy Hash: BC51C371F2012A9FCB589F69C80456DB7F2BF89700725896AE805EF351DE34DC06CB92

Function 0622B378 Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

$^q, xrefs: 0622B3A1
c^q, xrefs: 0622B4C5
Hbq, xrefs: 0622B595
4c^q, xrefs: 0622B4E1
(_^q, xrefs: 0622B576

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: (_^q$4c^q$Hbq$$^q$c^q
API String ID: 0-2580002112
Opcode ID: 99218ea67916a7f6b48076c10e0a84548a75d7c09bd358f43d0752886d50cd85
Instruction ID: fdc477887895c394300e147e3c7b92ff283a24b71d9621ed87ecfc65058ab717
Opcode Fuzzy Hash: 99218ea67916a7f6b48076c10e0a84548a75d7c09bd358f43d0752886d50cd85
Instruction Fuzzy Hash: AC518460F2422BEBEFA00E69C95176577E5DF40B46FA0083EDC85DE284E724C8D1CB95

Function 053E86CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 053E875B

Strings

4'^q, xrefs: 053E8714
j{>, xrefs: 053E86F7

Memory Dump Source

Source File: 0000000A.00000002.3683986069.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_GamePall.jbxd

Similarity

API ID: MetricsSystem
String ID: 4'^q$j{>
API String ID: 4116985748-1285376448
Opcode ID: ab9aaed1214d28cb27695c9f5d9cc1d789da94cf915ae2996b94d53ce9d5276d
Instruction ID: 1f963bc8ac81c6a3942254413fcfa40bc18cae017d2d0eec59eec8673c89d7ec
Opcode Fuzzy Hash: ab9aaed1214d28cb27695c9f5d9cc1d789da94cf915ae2996b94d53ce9d5276d
Instruction Fuzzy Hash: 112175B5C042298FCB00CFA9D8446EEFBF4FB08310F10842AD419B7280C738A945CFA5

Function 053E86D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 053E875B

Strings

4'^q, xrefs: 053E8714
j{>, xrefs: 053E86F7

Memory Dump Source

Source File: 0000000A.00000002.3683986069.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_GamePall.jbxd

Similarity

API ID: MetricsSystem
String ID: 4'^q$j{>
API String ID: 4116985748-1285376448
Opcode ID: b87ec903f31859882276e6814ec5b33d822c1786e666db9ced3d5dc9a25f608f
Instruction ID: 10321b54141272cd1606b22068a53087dd508399ac310a3f7f88214a9015ee97
Opcode Fuzzy Hash: b87ec903f31859882276e6814ec5b33d822c1786e666db9ced3d5dc9a25f608f
Instruction Fuzzy Hash: 8C2134B4D042198FCB10DFAAD5456EEFBF4FB08320F108529D419B7280C7386945CFA5

Function 062275A0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

4c^q, xrefs: 062276FF
4c^q, xrefs: 062276A2
$^q, xrefs: 062276B4
$^q, xrefs: 06227642

Memory Dump Source

Source File: 0000000A.00000002.3969281381.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6220000_GamePall.jbxd

Similarity

API ID:
String ID: 4c^q$4c^q$$^q$$^q
API String ID: 0-3263609269
Opcode ID: 86867bc885f1e3af922dadc4231372e7874a0d2ce9113e59ec1a410206676757
Instruction ID: c92907e87b02ed53dd8b55e56f500de0375c169394fe00218897ecaecacbd856
Opcode Fuzzy Hash: 86867bc885f1e3af922dadc4231372e7874a0d2ce9113e59ec1a410206676757
Instruction Fuzzy Hash: F751F335F24127AFDB948E68D984AB9B7A2FB88750F048429ED069B354DB70DC11CBE0

Analysis Process: GamePall.exePID: 6576, Parent PID: 3524COMMON

Executed Functions

Function 02BB1049 Relevance: .8, Instructions: 843COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521cf60eb451d9c7158cdc347406f0d2fb4e076e279ea7ce8c4b2aa8d94c96a3
Instruction ID: 682f1d7ca2ea6fc6ff29a832ec6277bc3674d98a282916ad70e633e9ef97ad33
Opcode Fuzzy Hash: 521cf60eb451d9c7158cdc347406f0d2fb4e076e279ea7ce8c4b2aa8d94c96a3
Instruction Fuzzy Hash: F382D07D640209DFDB06EFA4D654B6E7B76EB88300F204814E805337ACDB36AD95DB26

Function 02BB521A Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

(bq, xrefs: 02BB55A3
(bq, xrefs: 02BB55CF

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 793d2e38f7f1a75249ec118dba5fbddf197abf2695e78e1f25c5f215ac1d5488
Instruction ID: e9cd1ed4d68213936df11f9b02984b22a5a24ed1cb2b5d32bb2a8a49dde23898
Opcode Fuzzy Hash: 793d2e38f7f1a75249ec118dba5fbddf197abf2695e78e1f25c5f215ac1d5488
Instruction Fuzzy Hash: 87819035A002148FCB16DF69D8546FE7BB3EF88311F5480A9D406AB395DF749C46CB92

Function 02BB5678 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

(bq, xrefs: 02BB589B
(bq, xrefs: 02BB586F

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: c73cb0cdaa2eca648bec84ee5588eb4ba45c3b6b5126cf4432b23492f8e48e7e
Instruction ID: f5f43b2a97c5643c510fcb0ea45e01319fcba538ec94453b272d8ae62aa11b0b
Opcode Fuzzy Hash: c73cb0cdaa2eca648bec84ee5588eb4ba45c3b6b5126cf4432b23492f8e48e7e
Instruction Fuzzy Hash: CE61B070B012448FDB16DF69C894AAEBFF2AF89300F55409AE402E7361CF749C06CB51

Function 02BB3750 Relevance: 2.6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

(bq, xrefs: 02BB37B2
(bq, xrefs: 02BB3786

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 4bfb346749d1775ce3af43f1e74e39751c51a6f6839a8f409c8c95b4fd438801
Instruction ID: 827973b9174ed67a85bba682d364e414e415b7616d1704b63d5261cf52f5fa62
Opcode Fuzzy Hash: 4bfb346749d1775ce3af43f1e74e39751c51a6f6839a8f409c8c95b4fd438801
Instruction Fuzzy Hash: DE012636B041284BC3597B3A981423F35D7EFC62617688269D80AD77D0DE388D0B57D6

Function 02BBBEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02BBBF75

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 78ad3a446d19b190cf1c60db7a043b19525a9af394c631ec937e2aeb5bf5b0dc
Instruction ID: 09643daf5e9a605e1c284ef19f51b222e69c5ea3e334a4c5fa57bc544fe7868b
Opcode Fuzzy Hash: 78ad3a446d19b190cf1c60db7a043b19525a9af394c631ec937e2aeb5bf5b0dc
Instruction Fuzzy Hash: CD416D347001149FC744DF2ED898A6EBBE6FF89710B2585A9E40ADB3B6DA71DC05CB81

Function 02BBBEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02BBBF75

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: f87318553fa879ece5eb05867b10b49b2d2e7ff2b5586e591f6bf32041f8ed25
Instruction ID: 66cf6f3eb7d5176ac17ec6f17d811c88da32a2f55cf7a7ac752ea6805889a3b6
Opcode Fuzzy Hash: f87318553fa879ece5eb05867b10b49b2d2e7ff2b5586e591f6bf32041f8ed25
Instruction Fuzzy Hash: 3E4170347001049FC744DF6EC898A6EBBE6FF88710B2584A9E50ADB3B5CA71EC018B81

Function 02BB2B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02BB2B35

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 91f66d5d51b287ea0d8c4823f291aa0398336c13099fcec760d5d625e50968f2
Instruction ID: 5be7c881a234da99c1ed55287c4299e50a839a7231bf3efd13b3782b5a7f592b
Opcode Fuzzy Hash: 91f66d5d51b287ea0d8c4823f291aa0398336c13099fcec760d5d625e50968f2
Instruction Fuzzy Hash: F6311B357102058FD749EB36D46456E33B2EBC9A0872185A9D14A8F3A8DF35DC47CB8A

Function 02BB4249 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

(bq, xrefs: 02BB4295

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: a4da9ca465586b50d690c5849f15e144b901fc220b4ff95d151a9b76ecb44629
Instruction ID: 106652be98a11fc2f53fcb234598bbca0663e320fb88e29be6a5147190448b85
Opcode Fuzzy Hash: a4da9ca465586b50d690c5849f15e144b901fc220b4ff95d151a9b76ecb44629
Instruction Fuzzy Hash: 8D016832B081904FC30AA738582427E3BA3EFC221174844AED445CB356CE688D4A93C6

Function 02BB37F0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

(bq, xrefs: 02BB3820

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 207d01ddb2821afaf1836036c94739e3148811d65350b81d68e5550b29aceb4c
Instruction ID: 47617d3234bd45c7433ea31a8774cdd75eb5039ddb71e21b7409c55a6ed5607f
Opcode Fuzzy Hash: 207d01ddb2821afaf1836036c94739e3148811d65350b81d68e5550b29aceb4c
Instruction Fuzzy Hash: D4F059327042505BD7196B7A5C1013F3BEBDFC6220B14866AE909C33C0EE758C0A4392

Function 02BB1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ac1a39631f833f805cebe278dfe257c333240224019a0afec8ad22cb9fe7f0
Instruction ID: c03cb4412b5bcaa0b403ca52f13e7e054b69b1c129c81ee79dbfe6d3bfdbe0b0
Opcode Fuzzy Hash: d7ac1a39631f833f805cebe278dfe257c333240224019a0afec8ad22cb9fe7f0
Instruction Fuzzy Hash: E182C07D640209DFDB06EFA4D654B6E7B76EB88300F204814E805337ACDB36A995DB26

Function 02BBB0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b75d2e158b03fd13ace90900d7b83530a691eea86c70a11887d2ce8730972d
Instruction ID: e6e9e84f27dc6b71698acdf2de51420b5fe2950a079b46b91c1b091554188dc2
Opcode Fuzzy Hash: 60b75d2e158b03fd13ace90900d7b83530a691eea86c70a11887d2ce8730972d
Instruction Fuzzy Hash: 8F523D39A11204CFC71AEF28E5589AD7BB2FF84309B6484A9D8169B3A5DF71EC45CF40

Function 02BBC060 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b4608812b1265ef24f6fd1094f65d0d497b223f3124ac9f1d7a2988237bab6
Instruction ID: d386a51e9b92cc8b0427bdf7e0859216aa877ad6d807f86100607594fff79b7c
Opcode Fuzzy Hash: d4b4608812b1265ef24f6fd1094f65d0d497b223f3124ac9f1d7a2988237bab6
Instruction Fuzzy Hash: C1710972600604AFC356DB24C95059BFBB2FF80304754CA6E944A8BB55EFB2F94A8BC5

Function 02BB3893 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2beafc995b2391d72ba96587f2284b9363259d934166e45ce13373aa9912117
Instruction ID: f050929ad39eee25c95d3f1e837406d6f68bf9920de227dc89f4fc07410940e9
Opcode Fuzzy Hash: f2beafc995b2391d72ba96587f2284b9363259d934166e45ce13373aa9912117
Instruction Fuzzy Hash: A0711D38B50218EFDB05DFA4D994AAEBBF6EF88310F244495E805A7368CB75EC45CB50

Function 02BBC070 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81adf48f43bbef3f05eb01c06540e75d167a7e4ad95ec7343b91ba4b3df3d49
Instruction ID: a82bf20985ced9bfb561289773aa240e1d7b817501f710bf4fb4e9a6cf3c418b
Opcode Fuzzy Hash: a81adf48f43bbef3f05eb01c06540e75d167a7e4ad95ec7343b91ba4b3df3d49
Instruction Fuzzy Hash: 3871EB72600604AFC356DB24C95059BF7B2FF84304354CA6E944A8FB55EFB2F94A8BC5

Function 02BBBB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cac953cb9a890dfe979924804ae590d659d4610c3b0129b6f55934398921e8
Instruction ID: 4ba8dd29a91db58930f0d09b4d4956249432adf8ba2251f33acf9572828aca5e
Opcode Fuzzy Hash: 48cac953cb9a890dfe979924804ae590d659d4610c3b0129b6f55934398921e8
Instruction Fuzzy Hash: 5A81097D602245CFC712FF18EA899A9BBB2FF84304B25C5A8D5158B369CB70E859DF40

Function 02BB5AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aeaf49a68a1a018ed9a43716c9b994cd7a9c4485ae1bdb4959c06efb5ae7884
Instruction ID: 899b68c8f21fcde51a441bb7e40240a199917242e3f2ae626299e56d23979e11
Opcode Fuzzy Hash: 1aeaf49a68a1a018ed9a43716c9b994cd7a9c4485ae1bdb4959c06efb5ae7884
Instruction Fuzzy Hash: E5515E75B002058FCB14DF69C994AAEBBF6EF8C314B5140A9E50ADB365DB70EC05CB91

Function 02BBC798 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df908a60777ea74c565f6aa0a8cea6eaf4087a200333189d2dbba9eb6a7f4ff
Instruction ID: 585f9958af4d821c5da0449dd94c7cd703d259b55013637eb6c9b4824be829fc
Opcode Fuzzy Hash: 6df908a60777ea74c565f6aa0a8cea6eaf4087a200333189d2dbba9eb6a7f4ff
Instruction Fuzzy Hash: 4C51C672600600AFC356DB24C95159BFBE2EF85314354CA6EC04A9B765EFB1EA4A8FC1

Function 02BBC7A8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f444f5fffdfc5747851b0c905417d07be93223ed21c82004b4d2664ae71623c
Instruction ID: 290fb6e183fe05bf98cb4d75033c5ed4b462c0b77355ae0fdc1f101c53033b57
Opcode Fuzzy Hash: 6f444f5fffdfc5747851b0c905417d07be93223ed21c82004b4d2664ae71623c
Instruction Fuzzy Hash: 5B51D5726006009FC356DB24C95159BFBE2EF85314354CA6EC04A9B765EFB1FA4A8FC1

Function 02BB2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f153f525a25e77b5615a113b2d6dced41f253cdf9fd9927877a2f038a6012eb
Instruction ID: b2ac781a1ed39d817ca697aa182100a8c25936ada7b5a6a3c6ee46f098478bc2
Opcode Fuzzy Hash: 1f153f525a25e77b5615a113b2d6dced41f253cdf9fd9927877a2f038a6012eb
Instruction Fuzzy Hash: A0410674E50208CFDB15EFA5D984AEDBBB2FF88300F205669D915A7368EB309849CF50

Function 02BB5A91 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af45e9ce449ef2f86a772fe6236eef9fe8183f1b09dbabaae65a7ffdf95ddd0
Instruction ID: dfb196d092beee33e7629725395f3650542e9fbc352de4d8176f1656337489e3
Opcode Fuzzy Hash: 9af45e9ce449ef2f86a772fe6236eef9fe8183f1b09dbabaae65a7ffdf95ddd0
Instruction Fuzzy Hash: 19418F75B002068FC715DF68D984EAABBF6FF89314B5181A9E409DB362DB70DC05CB91

Function 02BBB0A0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bf6fae303cc916ea022f82f9fa1dfa9e13105d15e91b328b74d550147342e0
Instruction ID: 891577c67aea06fb91722ed58766f1f91f6b1417a9e88cc68595e250d43f2889
Opcode Fuzzy Hash: d1bf6fae303cc916ea022f82f9fa1dfa9e13105d15e91b328b74d550147342e0
Instruction Fuzzy Hash: 24313535B102048FCB05DB79E9846EDBBF6FF85304F04856ED4198B3A5EFB099498B81

Function 02BB5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39b79216f8966de564cfb34e771723fcce18b221a227ff9343c4e5492fc4172
Instruction ID: 890ed2431ea320f019f29a31faafd86b435170ff3a47ba1343009673eff14d32
Opcode Fuzzy Hash: b39b79216f8966de564cfb34e771723fcce18b221a227ff9343c4e5492fc4172
Instruction Fuzzy Hash: 73411739A001149FCB05EFA5E494AEDBBB3FF88305F6484A9E806A7364DB749C46CF51

Function 02BB2842 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6ecadc7f4d2670587cfed34308bccef9d36a7a5495e73b6794241af5ee8afb
Instruction ID: 13bfc7ab39897446a229f996585a3eec69a44794457fd0efedaeecc29a6d09ce
Opcode Fuzzy Hash: df6ecadc7f4d2670587cfed34308bccef9d36a7a5495e73b6794241af5ee8afb
Instruction Fuzzy Hash: D6315830E50208CFDB15EFA4D9846EDBBB2FF88300F245A69D915A7268EF759849CB10

Function 02BB2C53 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb907ddd92bd0b9802f66ac14bea66e6e825390c99ed54abf8d1af250fc06ce
Instruction ID: 9046f3fe01b599edae514aea0752ee10ff44317a760a1a53314401578d32d1ec
Opcode Fuzzy Hash: cfb907ddd92bd0b9802f66ac14bea66e6e825390c99ed54abf8d1af250fc06ce
Instruction Fuzzy Hash: 20315079E00209CFCB05EFA4D594AEEBBB2FF48314F204565D915A7368DB309A45CF91

Function 02BB2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0579ec2502a7585769409a91566c5845c0f181daa101a9aea3d014dce2218e09
Instruction ID: 1fd019731011766b74a83443fb8c920c05b2fbc6985ef09a083ccae4b9e10220
Opcode Fuzzy Hash: 0579ec2502a7585769409a91566c5845c0f181daa101a9aea3d014dce2218e09
Instruction Fuzzy Hash: 67315039E00209CFCB05EFA4D594AEEBBB1FF48314F204565D915A7368DB309A45CF91

Function 02BB288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479e829908c8e9f93c40b8535307fa93846762c4a64d3c1f5dfb6a29ffc2e7fa
Instruction ID: 701ca08a2fc628ee1fc661bbd242c15de31383cb224d90b460dde7785c923617
Opcode Fuzzy Hash: 479e829908c8e9f93c40b8535307fa93846762c4a64d3c1f5dfb6a29ffc2e7fa
Instruction Fuzzy Hash: E8313874E50208CFDB15EFA4E9846EDBBB2FF88300F245669D915A7268EF749849CB10

Function 02BB4B70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d53c5794b1cdf4c5f697f0fa4579e56f23d0a7f89e4961508df82c8d789647
Instruction ID: 9ad2d527b17f3ee142000152c69d069c289d6ba6bfd2ae777477756f17a6d410
Opcode Fuzzy Hash: a4d53c5794b1cdf4c5f697f0fa4579e56f23d0a7f89e4961508df82c8d789647
Instruction Fuzzy Hash: E421A7316442415FC715EB78EC906AEBBA2EFC0314B058E6AD0198B369DF70EA4D8B95

Function 02BBCEC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfb258f83bfcc7e9a0ea4c3bbe073d12045e5fa1b238ab189269b2c97dfa972
Instruction ID: f57164a966a6104d933fa2c520cea0df53792cdc5825af9a066466f4326219b9
Opcode Fuzzy Hash: fdfb258f83bfcc7e9a0ea4c3bbe073d12045e5fa1b238ab189269b2c97dfa972
Instruction Fuzzy Hash: B3210671D10248DFDB11CFA9D5497EDBFB5EF48314F1480AAE809A7280CBB55949CF90

Function 02BB4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646f66caceff67543921b88e6ae33f878041f679fac2e7fe10b302ec84cb276b
Instruction ID: 7c44fe507cd8b8017a48787226bb45e26b37449ba25a72508c9e5127d1cac9d9
Opcode Fuzzy Hash: 646f66caceff67543921b88e6ae33f878041f679fac2e7fe10b302ec84cb276b
Instruction Fuzzy Hash: 832190312406016FC715EB79ED80A6EB7A6EFC0314B048E39D4198B369DF70EE8D8B95

Function 02BBCED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9402fa6491bb75f792ee84f1902894e0db78de0e6bbbdbcf8f20106192c79365
Instruction ID: 39eeaad86595735acdebd729d6df98eb2015a233848e6d63093c7ad8dfd93e96
Opcode Fuzzy Hash: 9402fa6491bb75f792ee84f1902894e0db78de0e6bbbdbcf8f20106192c79365
Instruction Fuzzy Hash: 6921F771D10248DFDB15CFA8D5496AEBFB6AF48314F14809AE809A7340CB759945CF90

Function 02BB2908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be0002847b54c746c0afceeaedf1b66177504dc3ad4cb6836279ec21c972a76
Instruction ID: 577b84fedf539ab4bff5bf5727f2a2c3cf97cfdc7948c07233e15029a20ee8ea
Opcode Fuzzy Hash: 5be0002847b54c746c0afceeaedf1b66177504dc3ad4cb6836279ec21c972a76
Instruction Fuzzy Hash: 91213974E00118DFDB15EFA5D980AEDBBB2FF88300F108229D929A7368DB709849CF51

Function 02BB6888 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e878146ec179d1c4bb2ff721f41834ade6035704bdaf7e8036fcf3d670594e
Instruction ID: a6748373e06194bbb67013043ed7bdd42786005d000a956cda2ead3f32ef8011
Opcode Fuzzy Hash: 01e878146ec179d1c4bb2ff721f41834ade6035704bdaf7e8036fcf3d670594e
Instruction Fuzzy Hash: 83219031D00105CFDB15CBA4C9487FEBBF5AF48304F1080AAD146A7262DBB54E49CF51

Function 02BB5C61 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91c6b8d993c3c60a5055324bcf19e2d34a303da26668cf9bc6a742a5b3a7344
Instruction ID: ec1a1bceb85b7b89a5e1bccde5aff532daae07568b7e162eb736406c93407a37
Opcode Fuzzy Hash: e91c6b8d993c3c60a5055324bcf19e2d34a303da26668cf9bc6a742a5b3a7344
Instruction Fuzzy Hash: DC213835A002198FDB11CBA9D598BEDBBF1AF8C310F6401A5E405BB260CB759D44CB60

Function 02BB296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e958af443d7244e5c9adf222dcb92df7dce3a8b44e20e81620ac6ec4aa84a93a
Instruction ID: bd16169d6f28c07610aceb5e2b3f8d459a43dc6898b0bca40981f45071af67e3
Opcode Fuzzy Hash: e958af443d7244e5c9adf222dcb92df7dce3a8b44e20e81620ac6ec4aa84a93a
Instruction Fuzzy Hash: 1B21FA74D00208DFDB15DFA4D5809EDBBB2FF48300F204169D919A7368DB309949CF50

Function 02BB66F9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fcba11fcf9e54691f10153fb089780bce292b6135b9b8e91034d1800946c85
Instruction ID: b628ceb69d9cb365572b0fda61a35020177166dd7c30d5b47fb60901a55946a0
Opcode Fuzzy Hash: 68fcba11fcf9e54691f10153fb089780bce292b6135b9b8e91034d1800946c85
Instruction Fuzzy Hash: 9111A5317042508FC7065B78A8544EABFB6EFCA22130542BBE54ACB366DF759D0EC791

Function 02BB36FC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce48b64a81883b2ed56b4b0547abef47517bfba58890dc2e24acc941c155deec
Instruction ID: f1753ed5dc6dc9483fe32450217c9e4cf86bac28884ee498998588ed76dff7aa
Opcode Fuzzy Hash: ce48b64a81883b2ed56b4b0547abef47517bfba58890dc2e24acc941c155deec
Instruction Fuzzy Hash: 3401FE327051541FD356173558245BF2BF7DFC666431684A6D409C73A6DE248D0F9392

Function 02BBC000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f4cec65ce16b2f995a8cd8b30035531570406dbe92e3d26f0209c666900261
Instruction ID: 8fbe7710f6af96e4532daa8f9632cba0031c32b5c4926d9279ba61e296131de3
Opcode Fuzzy Hash: a3f4cec65ce16b2f995a8cd8b30035531570406dbe92e3d26f0209c666900261
Instruction Fuzzy Hash: 9D1165357102158FCB11EF29E89899ABBF2FF85718B1485A9E405CB376CB71ED098B80

Function 02BB32E0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e39053a9b98898b6c318f78d1e1c5a075bd2e41def91391eeeb04691fb6e6c
Instruction ID: 4b9abaa55f13f7d0ac6c605e1a67a1e289977fd0d53fc2714af12ae52a1b003b
Opcode Fuzzy Hash: 01e39053a9b98898b6c318f78d1e1c5a075bd2e41def91391eeeb04691fb6e6c
Instruction Fuzzy Hash: 0B116139E60104CBDB14EFB4E4187AE7BB2EB88301F014A69D90697344DF795919CB60

Function 02BB5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcca1b3c749c261b8e7149dbb1bd3ba438865c069985c2aed67cb56b92ef2dce
Instruction ID: ee3c8384d060614affeb0e1071a92032d34e31a2ed778eb631c6e27bbdb1d0f2
Opcode Fuzzy Hash: bcca1b3c749c261b8e7149dbb1bd3ba438865c069985c2aed67cb56b92ef2dce
Instruction Fuzzy Hash: 0301A9763001109F8714AF69E49495EB7A6EBD9665321857BE606C7310CF35DC05D7A0

Function 02BB32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edbb551c614683a13474ac70ccae3fa84082cd3139ebdb2c2a9fab56b610ce3
Instruction ID: 73c8c81a689b9210ed77506c403024e5cef3d092668e28ed930a56454a04d38c
Opcode Fuzzy Hash: 5edbb551c614683a13474ac70ccae3fa84082cd3139ebdb2c2a9fab56b610ce3
Instruction Fuzzy Hash: 55015234E60104CFDB14EFB4E4587AE7BF6AF88301F014A69D90297340DF795918CB50

Function 02BB2A8B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78a12053263b9d8cf5d6e1311427b09db78598ee22e3c4db1c093c19914d493
Instruction ID: c292ee2fb304e8206d395ef74540631fdb97e60333eed79885443031a6488728
Opcode Fuzzy Hash: b78a12053263b9d8cf5d6e1311427b09db78598ee22e3c4db1c093c19914d493
Instruction Fuzzy Hash: C3014BB56107109FC710AF38C80989B7BE2EF8461471489AAE14ADB725DF75EC088BC1

Function 02BB4237 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e652f2a69cb3261a4ad528a5af9d755382d92ac80397b77148165b7e91cf3e
Instruction ID: 9b864c99a2a53113e6a7f56240d4747c2face114df421d840087c6d79fd19296
Opcode Fuzzy Hash: 80e652f2a69cb3261a4ad528a5af9d755382d92ac80397b77148165b7e91cf3e
Instruction Fuzzy Hash: 44F05272A042501F8708A3B56C600AE3BA2FFC9114306496FE009DB241CE211E0E4326

Function 02BB6388 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3da63da34ce9edfe2a529641b7c40a77373f21b93d015e9935a474cc89f0cf
Instruction ID: c496f49c355051c9c50484e0261fd2c0e4f2150c5a25c13da391d606289c1faf
Opcode Fuzzy Hash: 2f3da63da34ce9edfe2a529641b7c40a77373f21b93d015e9935a474cc89f0cf
Instruction Fuzzy Hash: 30F0C230D00288AFCF01EFB4D8515EDBFB1DF56200B1081E9D449E7256DA310F49EB42

Function 02BB41DB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0c639d48ce5b264be8c99af6164ac0ba59cc29c473631544b145b477b24d0f
Instruction ID: 6be11317d72295c076ecb4e5795a8c1915c59b50e80f9c927d6346055a222259
Opcode Fuzzy Hash: 6a0c639d48ce5b264be8c99af6164ac0ba59cc29c473631544b145b477b24d0f
Instruction Fuzzy Hash: ACE055717041103F8708E6A6AC419BF768AEFC8220754482AF10CD7300CE326D0843AA

Function 02BB593F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cde74563fc9010174733e03ad3a38763351b461f296a4fca1a97516f181641
Instruction ID: b18e1833f9a4743691afd4141fdedcc5851dfa57d83fb0ed152dbc1850d6deae
Opcode Fuzzy Hash: 47cde74563fc9010174733e03ad3a38763351b461f296a4fca1a97516f181641
Instruction Fuzzy Hash: 85F05E763002109FC7149F29E494DAEBBA6EFD9665325856AE90AC7310CF318C06CB60

Function 02BB41E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ee966b2114f5e7d78d057b982043e40bca4b0270fbfcd5efbefa471116a62a
Instruction ID: 1e6ebd7921f5d5552f610b32e27bb42872608d2ec08a2285d2aab75b63efe7ad
Opcode Fuzzy Hash: 32ee966b2114f5e7d78d057b982043e40bca4b0270fbfcd5efbefa471116a62a
Instruction Fuzzy Hash: 8AE0ED71B042147F8708A6AAAC519BF769AEFC8664754482AF10DD7300DE226E0957AA

Function 02BB6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65284d27622cca8d0bd42d20231634d6dc5d034c73cb0849f9e1e9d035e6874b
Instruction ID: 938a8e4ae2f73882b26aedc4fce915d381de34a01ddfeb9396e6e5b9d38936fe
Opcode Fuzzy Hash: 65284d27622cca8d0bd42d20231634d6dc5d034c73cb0849f9e1e9d035e6874b
Instruction Fuzzy Hash: A5F08274E00208BFCB00EFB8D94159DBBB1EF54200F1081E9A809A7344DA305F04EB41

Function 02BB2D92 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89b4a50d88c0a1744836d4f4136123fde88a78e74ccc532c01e04cb07b3932b
Instruction ID: d9e7caa85b1a63d4413c1a0f85fc243400114f38e512d106342c3d1dac374ccc
Opcode Fuzzy Hash: a89b4a50d88c0a1744836d4f4136123fde88a78e74ccc532c01e04cb07b3932b
Instruction Fuzzy Hash: 45F08C70E24118CF8784EFA8D5092D97FF0EB48310B2180AAD509E3300EA708E01DB91

Function 02BB1FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faca554b8a7cb37d57e3838d977d4f2e9332f98585d065c11246abaf6b8b7cd
Instruction ID: bd591d910f723bb25cf0c21688a614353c7218bfa8d2ff77dd23c237207fd79a
Opcode Fuzzy Hash: 8faca554b8a7cb37d57e3838d977d4f2e9332f98585d065c11246abaf6b8b7cd
Instruction Fuzzy Hash: CBE09A36B052804FCB165679A0189997FA5DF8651530609EFE00AC73A2CE358C0A8721

Function 02BB2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86793026540ba99af47fa0c9b7cb2b03ed56f3abef78a33aeaf671d05168c7db
Instruction ID: 4c85e6f81bdc611306f15952e824777a56b608344eea91706ee2212b3ddf9bc6
Opcode Fuzzy Hash: 86793026540ba99af47fa0c9b7cb2b03ed56f3abef78a33aeaf671d05168c7db
Instruction Fuzzy Hash: 7CE0ED71E10118DF8B84EFBCD5056DEBBF5EF48310B1141AAD519E7311EB709E018B92

Function 02BB37EF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1095ad52caf292bbb7d226c388e42085afe7fdaeb3cf72284409fab42120dfc8
Instruction ID: d839e8ceb4ae7e5a8049027e3c6445cda85c3a9790b0fb6e7af43c98cff4e44a
Opcode Fuzzy Hash: 1095ad52caf292bbb7d226c388e42085afe7fdaeb3cf72284409fab42120dfc8
Instruction Fuzzy Hash: 14D0C2337002002BDB255A6A6840AFB27ABDBC8220B184569F909C3200DFA28C068740

Function 02BBCFF0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fda9549fc6a0cacbc0c3ee170e4bd9bc263f3e6ffee613731c42a0eb5de08a0
Instruction ID: 246a3db2d01f70937d8846ffad3e284be1f1f4ad040ae509ba6944d12c68f61e
Opcode Fuzzy Hash: 4fda9549fc6a0cacbc0c3ee170e4bd9bc263f3e6ffee613731c42a0eb5de08a0
Instruction Fuzzy Hash: 26E0CD3511D34697EF115151B15D3B13E498F4021DF4480DAB40D065D0DBFE8089DF91

Function 02BB66C8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c77f599a32f7f31e9190ab1b18343ae12fb07a3a7cfadb93f6498b376bb3f1
Instruction ID: 5f20977e302d83019e3b4950b6fd18cfda4b5640b6f9de818338131c4f2ba901
Opcode Fuzzy Hash: 28c77f599a32f7f31e9190ab1b18343ae12fb07a3a7cfadb93f6498b376bb3f1
Instruction Fuzzy Hash: 3CD0A7327052605FC3451A6CB8103A977D1CFCA221F0903B7F505D7383DE684C0A6791

Function 02BB6469 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62a87e06f1f54847c072df84bb1800affe3b5750feb9409b63286cf8ae34694
Instruction ID: 933c9862b875507f002e73ff99f0e9fa95436e67438ea8a73a12c325ca6b8064
Opcode Fuzzy Hash: a62a87e06f1f54847c072df84bb1800affe3b5750feb9409b63286cf8ae34694
Instruction Fuzzy Hash: 11E05E757482408FC305DF38D0958A97B72EF9A350B1002E5E469CB37ADE26DC87CB14

Function 02BB6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2f6162a6ad0de2993093ccbc7f497219d6e283921fcb779d27b02eefa8fea2
Instruction ID: b406aa03f0cf098e66abcd0059c500ed1409f5637cda0e58cd9ee3dca08fb845
Opcode Fuzzy Hash: 6e2f6162a6ad0de2993093ccbc7f497219d6e283921fcb779d27b02eefa8fea2
Instruction Fuzzy Hash: 1DC012753402044F8204DB5CD08081573EAAB8C71071001A4E519C7339CE21EC81C618

Function 02BBCAA0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e3de08f168ae2ff73ea99c3bd75e7e522f3d243cccd0f07c8598e95d2f1458
Instruction ID: ab25e323e2fe44773562955bd60081dc3546fb747132a3eecfaf8c7d8680922b
Opcode Fuzzy Hash: 08e3de08f168ae2ff73ea99c3bd75e7e522f3d243cccd0f07c8598e95d2f1458
Instruction Fuzzy Hash: CCB09273BA02406BEE018F71A98E34137B0BF18302F040110F00585A95D6A401038605

Function 02BB5647 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3660449008.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2bb0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72fba5481fc7c4404a55708681bc8335424bb1bf2a9a4c22cbf1e483ad3cd07
Instruction ID: 681e302f150f5202289983cb36827a99088abb86e97d19546665c144240a6c50
Opcode Fuzzy Hash: e72fba5481fc7c4404a55708681bc8335424bb1bf2a9a4c22cbf1e483ad3cd07
Instruction Fuzzy Hash: 35A0026699541C01441454502C010367608D74665974406CAAC0D96661E953946E02C5

Analysis Process: GamePall.exePID: 6552, Parent PID: 3524COMMON

Executed Functions

Function 02244F58 Relevance: 11.9, Strings: 9, Instructions: 606COMMON

Download Yara Rule

Strings

(bq, xrefs: 022455CF
(bq, xrefs: 02245082
(bq, xrefs: 02245655
(bq, xrefs: 022451CD
(bq, xrefs: 022451F9
(bq, xrefs: 022455A3
(bq, xrefs: 0224589B
(bq, xrefs: 0224586F
(bq, xrefs: 02245056

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-1872187367
Opcode ID: bce45600cc069b672dea902b96c2ef2caec32e9f4ff407a0d15543c7726d69b3
Instruction ID: 80c05d4a04d6516c4a9023161b9a6b07a913e273520a0a66c083cdd138e99d02
Opcode Fuzzy Hash: bce45600cc069b672dea902b96c2ef2caec32e9f4ff407a0d15543c7726d69b3
Instruction Fuzzy Hash: 9C229D30A10215CFDB08EFA9D4446AEBBF2EF98310F648169E906EB354DF349D46CB91

Function 02243860 Relevance: 4.4, Strings: 3, Instructions: 687COMMON

Download Yara Rule

Strings

(bq, xrefs: 02243BA1
(bq, xrefs: 0224419C
(bq, xrefs: 02243DE5

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: cd73961921c2a37f03c9274d3dbd00c79e4811f20382877f5bdbcc6c895c7f82
Instruction ID: 71fc9821825280117f8f0681df6d663aacf0119e426f35bd9b2ac1bfde596068
Opcode Fuzzy Hash: cd73961921c2a37f03c9274d3dbd00c79e4811f20382877f5bdbcc6c895c7f82
Instruction Fuzzy Hash: C7425E34B102159FDB09EBA8D854A6E7BF7EF88310F248469E505AB368CF35DC46CB50

Function 02243750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 022437B2
(bq, xrefs: 02243820
(bq, xrefs: 02243786

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 61ceb4b23cda8d932a46ee1ff58828d1d7ab5c5398437eeabc344d185dbbaf2a
Instruction ID: 6f5147379ee2410d6360eefb3872d46462b47c8534d48e29ca9785c22b499851
Opcode Fuzzy Hash: 61ceb4b23cda8d932a46ee1ff58828d1d7ab5c5398437eeabc344d185dbbaf2a
Instruction Fuzzy Hash: 88216D217041508FE719777D581417E2BE7EFC6261328866AE90AD77C1DF388D0B8396

Function 02241049 Relevance: 2.1, Strings: 1, Instructions: 843COMMON

Download Yara Rule

Strings

0-y, xrefs: 02241EBA

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: 0-y
API String ID: 0-3537481717
Opcode ID: 1e2d69f30f98e54e9a805aa180570799c8b844b8833e7db9b205b46daf5843f1
Instruction ID: 2fe36a968574abe2b90d5471d1c3ddd56b602e433ac864589a0689d5f3e7cd35
Opcode Fuzzy Hash: 1e2d69f30f98e54e9a805aa180570799c8b844b8833e7db9b205b46daf5843f1
Instruction Fuzzy Hash: 0682E178640209DFDB06EBA4D654B6E7BB7FB88300F104814E801377ACCB76AD95DB66

Function 02241058 Relevance: 2.1, Strings: 1, Instructions: 835COMMON

Download Yara Rule

Strings

0-y, xrefs: 02241EBA

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: 0-y
API String ID: 0-3537481717
Opcode ID: eb1c344b155e5808be11b9eebfb4de094589a8a6ae5ed1174d2804bde96ab8d0
Instruction ID: f35bc1f72105b0a4202ec65228e1b9957f8bcf5f7343057cf8be8c7a1b2897c1
Opcode Fuzzy Hash: eb1c344b155e5808be11b9eebfb4de094589a8a6ae5ed1174d2804bde96ab8d0
Instruction Fuzzy Hash: 1782E178640209DFDB06EBA4D654B6E7BB7FB88300F104814E801377ACCB76AD95DB66

Function 02242A80 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02242B35

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a4510d0854a4146d31a061ebafcabceb6dd0d51184f7a8291cf9e1857c68c008
Instruction ID: ba888d93d3bdb6d3e4233cf2480e96de4f525ee4ebd68cbd99fa9eb41b87d83b
Opcode Fuzzy Hash: a4510d0854a4146d31a061ebafcabceb6dd0d51184f7a8291cf9e1857c68c008
Instruction Fuzzy Hash: 2B516B357102118FCB09AB3AC45895A37F2EBC9A587208569D54ACF369DF35DC078B86

Function 0224BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0224BF75

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 923da59b53999ef4e2814318a1c266057e620ed06ced76e4e9556d50ffe04468
Instruction ID: 6392bea5dc886ba3f005930b0b39af7fa4715825dc55eb2a6921a839786342ae
Opcode Fuzzy Hash: 923da59b53999ef4e2814318a1c266057e620ed06ced76e4e9556d50ffe04468
Instruction Fuzzy Hash: 764180347002048FC744DF6DC488A6EBBE6FF89710F2580A9E509DB3B6DA30EC058B91

Function 0224BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0224BF75

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b0d0b58cdb52d5eac891762ce5e1906d8a643ad2138bdf60187b295d80dd2c21
Instruction ID: de6f6614c88b39da5722f72e5f0cc898a1212e88aef66579d2694a8e740529e6
Opcode Fuzzy Hash: b0d0b58cdb52d5eac891762ce5e1906d8a643ad2138bdf60187b295d80dd2c21
Instruction Fuzzy Hash: BB4150347002148FC744DF6DC498A6EBBE6FF88710B2585A9E50ADB3B5DE71ED018B91

Function 02242B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02242B35

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 06a9472b5ae95a557b02bea76e7af478ddcff450f48d64c8678364ca5a7304cc
Instruction ID: 22b498315bc6978d10f78e1dc556a5cc270ae5a0e3cffbebe4357d4441573bcc
Opcode Fuzzy Hash: 06a9472b5ae95a557b02bea76e7af478ddcff450f48d64c8678364ca5a7304cc
Instruction Fuzzy Hash: BF3109357102158FD749AB3AD454A2E33F2EBC9A587208568D14ADF3A8DF35DC43CB8A

Function 02242B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02242B35

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9ba1ddd63bfb5ae94b169d91e60c84e37a40d835a0de0fe1e574e20493eecd70
Instruction ID: f0e81524e2fc1eca4d40110488f061613cfdabc69dd7d6c6be42ae9b8dd75a07
Opcode Fuzzy Hash: 9ba1ddd63bfb5ae94b169d91e60c84e37a40d835a0de0fe1e574e20493eecd70
Instruction Fuzzy Hash: 1D31DA357102158FD749AB36D454A2E33E2EBC9A587208568D14A9F3A8DF35DC438B8A

Function 02244248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(bq, xrefs: 02244295

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: aa24976afb44984a66d973a58521bef2951a1b4cde0d77a9060d1a8ee5fa7c2c
Instruction ID: 418a628e7565931c215b971a69d039c711b45f95485e8108559250c35d260830
Opcode Fuzzy Hash: aa24976afb44984a66d973a58521bef2951a1b4cde0d77a9060d1a8ee5fa7c2c
Instruction Fuzzy Hash: 7E0168327082904FE30AA779581826E3B93EFC265034845AED846CB345DE68DD4AC3D5

Function 0224B0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a46011b89d6e0ad0485c2ce37406232708f0042ab8be221b6fc12961915520
Instruction ID: 99080ac53e90d1e58e600ad73c83dc3a679defcf9e7e26b5df13894f8a843fa2
Opcode Fuzzy Hash: 40a46011b89d6e0ad0485c2ce37406232708f0042ab8be221b6fc12961915520
Instruction Fuzzy Hash: A9523638A11201CFC719EF78D55896D7BE2FB85349B608469D40AAF36ADF35EC42CB80

Function 0224AF90 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e5f220f8f1995d9541e26946191a67d8e304ec75eeaf8a9f8456613347bb18
Instruction ID: 80274fde810f8f7fd6227f6cf3d92d438f964641b3baa21fd97954b97827cee3
Opcode Fuzzy Hash: a7e5f220f8f1995d9541e26946191a67d8e304ec75eeaf8a9f8456613347bb18
Instruction Fuzzy Hash: 5761C5719093808FD706DB7898556DDBFB1FF96208F0985ABC084CF1ABDB64A90DC792

Function 0224C060 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3754224aee06defcedd8a2353e7556817b4e54aa157974cf5288be0e4b1530d
Instruction ID: 6bb9d73172027357e12e89176b1cb021311b92ac32c797c198569953b5d36e9b
Opcode Fuzzy Hash: c3754224aee06defcedd8a2353e7556817b4e54aa157974cf5288be0e4b1530d
Instruction Fuzzy Hash: 4471E8725017049FD356DB64C95059BFBA2FF84314314CA2E844A9FB69EF72FA4A8BC0

Function 0224C070 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77093ecb587385c68d3fb9291871f2417eec21495e7215ae875f97ebde1ca863
Instruction ID: 6d9693d3c37afadbef070b01426edb8b1837cff1de3e939b258db22384911346
Opcode Fuzzy Hash: 77093ecb587385c68d3fb9291871f2417eec21495e7215ae875f97ebde1ca863
Instruction Fuzzy Hash: 0471E7726007049FD355DB64CA5059BFBA2FF84304354CA2E844A9FB69EF72F94A8BC0

Function 0224BB99 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6c0507e0a621afe124ee8945670e8dbe89f0d97c781c6ee86114e0585d1600
Instruction ID: 7d81e69fa718b162f44a0ecdca006f5763851b7e67e9f88a4a875764bf9f2cd8
Opcode Fuzzy Hash: 3e6c0507e0a621afe124ee8945670e8dbe89f0d97c781c6ee86114e0585d1600
Instruction Fuzzy Hash: DB810678A12205CFC366EF58EA89919BFE2FB85344B54C568D1049F32DCB70E849EF80

Function 0224385B Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e481e83fb2ce90ea5b220178e8926dcf850584d64bafd9295a48e71f92d4a9f8
Instruction ID: ecda2b8a59be8d60b503ae3eb213e4c7a15d8a08ffd3d85a25b688511d0f14a9
Opcode Fuzzy Hash: e481e83fb2ce90ea5b220178e8926dcf850584d64bafd9295a48e71f92d4a9f8
Instruction Fuzzy Hash: 67611A34A11219EFDB09DFA8D994AADBBB6FF88310F208455E805B7368DB35EC41CB50

Function 02245AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef51c8372d95c3efb5a9a95cc64f74e9c3f4478f00bb1cbf0456b7058053cb64
Instruction ID: d41a55f5e8a44ca2d0180aee528046e67f873727a916d5202ccbb0954f72bc19
Opcode Fuzzy Hash: ef51c8372d95c3efb5a9a95cc64f74e9c3f4478f00bb1cbf0456b7058053cb64
Instruction Fuzzy Hash: 3F514F75B102068FCB08DFA9C994A6EBBF6FF88314B514168E50AEB365DB70ED05CB50

Function 0224C798 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8c6ccbcfdbbe07482ec115f78ff229daa2cfb349614d67dfab30191150ec5f
Instruction ID: 43f49b0e1b48a1dd3ba3bc0cf47af76f2a943cc85a44a355d16d1bf712ddb457
Opcode Fuzzy Hash: 5e8c6ccbcfdbbe07482ec115f78ff229daa2cfb349614d67dfab30191150ec5f
Instruction Fuzzy Hash: 4151E4716007009FD355AB68D94158BFBE2EF85314314CA2EC04EAB765EF75FA4A8BC0

Function 02245240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325c3e1860924e461de094ec384b30ca038f519b2aceb110dbea35de57e8d150
Instruction ID: 5d42ca2638bd0d292fd5c83afdac23803ad7330f01b4479d33bb3ab4ec260ba0
Opcode Fuzzy Hash: 325c3e1860924e461de094ec384b30ca038f519b2aceb110dbea35de57e8d150
Instruction Fuzzy Hash: 2F515D30A10219DFCB08DFA5D484AADBBF2BF88715F548165E845AB258DF749C51CF90

Function 02242850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7590c1e9aaff36f4b42182acf84f83aca2988238c357f705611c06ebacad59
Instruction ID: bb9b6b7fcf1d1c0b9aacc3c1fc36d1336648d39f9ac0a113fa5ef40f4cf9d8fc
Opcode Fuzzy Hash: bb7590c1e9aaff36f4b42182acf84f83aca2988238c357f705611c06ebacad59
Instruction Fuzzy Hash: FC41EC74A10209CFDB18DFB5D984AADBBB2FF88304F244629E905AB368DF359845CF50

Function 02245A91 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfa3bf175dcda6882fddbf58e742a9b62efa7b146f90eb1f411ea558efd8e7f
Instruction ID: 58a691d9c6394241bc212a0afca393088bd06a780e2ef1361a198ac6ec4e05e7
Opcode Fuzzy Hash: 1bfa3bf175dcda6882fddbf58e742a9b62efa7b146f90eb1f411ea558efd8e7f
Instruction Fuzzy Hash: 91316D75B102068FCB04DFA9D988E6ABBF6EF88310B518069E509DB366DB70ED05CB50

Function 02242843 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcd24f920e17403a028488d4515abc898b8238dc3db0fc9e6cf7cc6bd5eb9b9
Instruction ID: bfbbf8ed61586938d228225d083a4f5ee0ea8c354ae1e0f0c44ccc608f54e26a
Opcode Fuzzy Hash: 2dcd24f920e17403a028488d4515abc898b8238dc3db0fc9e6cf7cc6bd5eb9b9
Instruction Fuzzy Hash: B5414274A10209CFEB18DFE5D980AECBBB2FF88344F144625E905AB258EF759945CB20

Function 02242C48 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fab2cd159e76114ffc88b9371acf6c59ad5ead9df12e34ae4dc88b33188929
Instruction ID: ec86f969e7f36793677f6650e72754acff64dec870899d1dd1fbba871ca81047
Opcode Fuzzy Hash: c9fab2cd159e76114ffc88b9371acf6c59ad5ead9df12e34ae4dc88b33188929
Instruction Fuzzy Hash: BC411C74A0020ACFCB05EFA8D594AADBBF2FB48314F104665E505BB368EB359945CF90

Function 02245308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2371fd89be873e23a8e5d5e59477edb9af78041cfbd7c8e9fce4b52f0b3dacd6
Instruction ID: d95e47437aaaa39acdb280e1828d7a8324ceb85b4cd5708d022fe8583a9ed81a
Opcode Fuzzy Hash: 2371fd89be873e23a8e5d5e59477edb9af78041cfbd7c8e9fce4b52f0b3dacd6
Instruction Fuzzy Hash: 9741E834A10215DFCB08EFA5E4949ADBBF2FF88715B608565E805AB368DB349C42CF50

Function 0224B0A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f489fbc11b64070fb60b763a33de5a7b54b4b185389b8b0c01fb49144543bf7a
Instruction ID: 95090eda3f70afbc59f466864551d1aef9e764494d62147cd54d87977828342b
Opcode Fuzzy Hash: f489fbc11b64070fb60b763a33de5a7b54b4b185389b8b0c01fb49144543bf7a
Instruction Fuzzy Hash: 2631D330A102059FDB04EB78D84469DBBE6FFC6314F408529D119AB3AADF75ED098B81

Function 02242C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937bd3a3019573a081db8467f4d8839f3d018ac3f5ad5045d55e59e8092c3cd
Instruction ID: 9e624d7ab2874c6634bc887e106a7ecb961d7a17f84bdc6892f8265359f7717d
Opcode Fuzzy Hash: d937bd3a3019573a081db8467f4d8839f3d018ac3f5ad5045d55e59e8092c3cd
Instruction Fuzzy Hash: CB31ED7490020ADFCB05EFA8D584AAEBBF2FF48314F504525E515BB368EB34A945CF91

Function 02244B5F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9281601dcc2130f370f2e76988c368f4a95250b4be879c7716468ea6b73b94
Instruction ID: c1acb31707d44c9b27b7bfc22263f9b5999f5d5a0993d8c1906098fe423d159f
Opcode Fuzzy Hash: ea9281601dcc2130f370f2e76988c368f4a95250b4be879c7716468ea6b73b94
Instruction Fuzzy Hash: 5121A1302003059FDB05EB78E88066DBBA3FB80350B448E39D1198B769DF70EE8D8B95

Function 02245698 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d895db1544fc4a4d2538e33b35dc2fdd652427fa705254d47114e6c23738453
Instruction ID: 2fb496477e57293f6d451119972f84749cba6556926661873b8329f90b98237b
Opcode Fuzzy Hash: 7d895db1544fc4a4d2538e33b35dc2fdd652427fa705254d47114e6c23738453
Instruction Fuzzy Hash: AE219C70B106059FCB08DFA9D598AAEBBF6AFC8600F644069E806E7365DF70ED41CB50

Function 0224288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed712995b181b40f838adaa867a426a4383c70f87ceef451b750625ee9c6c76
Instruction ID: 120310812e5129d02e199ba1b19dbad1d432f3b2884642311589dbabe1af4679
Opcode Fuzzy Hash: eed712995b181b40f838adaa867a426a4383c70f87ceef451b750625ee9c6c76
Instruction Fuzzy Hash: 1D310C74A10209CFDB18EFF5D994AACBBB2FF88344F244529E905AB258DF749845CF20

Function 0224CEC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d980e9e5b4a79ea7796224b50d126092d8a6b10912c0566a432c53edf625a109
Instruction ID: f6b5d9b7a2d8fe3949c8df45f33906c00aca82db187a8408cac68938967107e4
Opcode Fuzzy Hash: d980e9e5b4a79ea7796224b50d126092d8a6b10912c0566a432c53edf625a109
Instruction Fuzzy Hash: 1D21BB74D05248DFDB15DFA8D148B9EBFF1AB89314F14816AE805A7380CB7A5801CF90

Function 02244B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1a07e992c5e39e115756fb795fe6ac306dabe41f5bb7db627532dc0a8b3f3a
Instruction ID: 1e567ef94061659ad39590f457f5ff77bb805fd3aef20d9df93e9ba87df6b4c8
Opcode Fuzzy Hash: dd1a07e992c5e39e115756fb795fe6ac306dabe41f5bb7db627532dc0a8b3f3a
Instruction Fuzzy Hash: E7215E302002059FDB15EB79E944A6EB7A7EB80250B448E38D5198B769DF70FE8D8B94

Function 0224CED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd0c5cb36e93e5f0a2f6984e78665fa1dc1e528cc4e7f7741539bcdfdaee1d5
Instruction ID: a545ccf20ab0398673b2fad67dae0ffc7d4eb567e07dd7be169b10674cb3b9eb
Opcode Fuzzy Hash: 5cd0c5cb36e93e5f0a2f6984e78665fa1dc1e528cc4e7f7741539bcdfdaee1d5
Instruction Fuzzy Hash: 07217A74D11208DFDB14CFA8D148B9EBBF6FB88314F20816AE805A7340CB7A9845CF90

Function 02242908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51151e192a6e03389258cfe05795f57a4f931ba46bb78fca7e5022803684bd5
Instruction ID: 6205f58944d63a3cee448adcbdb85bb24864da19753302b233aad7b81e8c647f
Opcode Fuzzy Hash: f51151e192a6e03389258cfe05795f57a4f931ba46bb78fca7e5022803684bd5
Instruction Fuzzy Hash: 60211B34E10219CFDB18DFE5D980AACBBB2FF88340F108225D915AB368DB749845CF11

Function 02245C42 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab64bc38c6450cc666cd3364e9687986cb3ec6b0f8676a7071215597fae6f8a
Instruction ID: 08aee4de14c0672908c69855c2a035be2c0b8875594585321b9d25b349c59cc3
Opcode Fuzzy Hash: aab64bc38c6450cc666cd3364e9687986cb3ec6b0f8676a7071215597fae6f8a
Instruction Fuzzy Hash: 77217C71A14249CFDB05CBA8C598BDCBBF1AF48310F5500AAD441BB2A5DB799D84CB60

Function 02245C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780e524bb421dd77e2929c132b256f6319785423c6f179d92206222ec2924ba0
Instruction ID: bfdb1c8af9862e5a780e0d3e86b48402c0de2fab4a521d209aaf6efe9be5e35b
Opcode Fuzzy Hash: 780e524bb421dd77e2929c132b256f6319785423c6f179d92206222ec2924ba0
Instruction Fuzzy Hash: 75213635A10219CFDB14DBA9C588BDDBBF1AF4C314F6400A5E505BB364DB75AE84CBA0

Function 0224296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82132f3e52a8592c33c1cd44ac0e1ae1cd23bfba5d7b83d3b4540b0940fdb522
Instruction ID: d2c1e9429cffe06cdeb878d98f12de06a02ade827ba707f1d00f607c47ed09e5
Opcode Fuzzy Hash: 82132f3e52a8592c33c1cd44ac0e1ae1cd23bfba5d7b83d3b4540b0940fdb522
Instruction Fuzzy Hash: AB21AC74A10219DFDB14DFA4D9849ACBBF2FF88304F204625E905AB368DB74AD45CF51

Function 02246888 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad944fa01de2497978557ae2582b4ef38f4d3d61ebc5f4aa484ec20512b6454
Instruction ID: 6ac7862cfdbc96a984db652f72092a077c6beda8483d31cda25a238ca7378fc4
Opcode Fuzzy Hash: cad944fa01de2497978557ae2582b4ef38f4d3d61ebc5f4aa484ec20512b6454
Instruction Fuzzy Hash: D1116D71D10206CFDB28DBA4CA48BFEBBF6AF46304F54846AC006A7255DFB58A49CF51

Function 022441A2 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1c2d4c10b92dc9cf9223c842e3753eef9fa51c92c7edf4367ce5047941c2f7
Instruction ID: 38caa7de480b670575b7151d7a852ccf343e0cf2e72a952059b72729ac62d269
Opcode Fuzzy Hash: 3a1c2d4c10b92dc9cf9223c842e3753eef9fa51c92c7edf4367ce5047941c2f7
Instruction Fuzzy Hash: FD014C317083808FD70A6B786C641AE3F6BEBC6255354859AD509D7342CE345D0AC765

Function 02245911 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0896c6c81106226fa7fd5f77d69f52e6096522881dbd1bb983546bf70e9e294f
Instruction ID: 5cfc968772c31c9092b5fbe3946664e6d7d96fd7bf5b9464aeee89bb9c0310c8
Opcode Fuzzy Hash: 0896c6c81106226fa7fd5f77d69f52e6096522881dbd1bb983546bf70e9e294f
Instruction Fuzzy Hash: C501DB723012109FC3059F69E4949597FB5EF96351315446FD509CB352DA34CC01C750

Function 0224C000 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdab7fd449d5c3084e7eead8b2cda570ce649dd5ce2177b8805dc42782e7b12f
Instruction ID: 4734b055a7b4aac2ef115124e621e8019ef85b49f87cfd373802034eac115d3d
Opcode Fuzzy Hash: bdab7fd449d5c3084e7eead8b2cda570ce649dd5ce2177b8805dc42782e7b12f
Instruction Fuzzy Hash: 3D115B347102458FCB45EB28E844A99BBF2FF85B18B0145A9E5098F376CB71ED058B80

Function 022432E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9598c106cbf34485f8b07b427dfc54a0dc5a421392c5e68293dd4d19b604bd42
Instruction ID: 0ee3b949c66e0b0835f467924dd9293ecc37046aef6bc3f9568187ddd2e83c0e
Opcode Fuzzy Hash: 9598c106cbf34485f8b07b427dfc54a0dc5a421392c5e68293dd4d19b604bd42
Instruction Fuzzy Hash: 94113C35A14284CFDB09FBB8E858B9D3FB2EB89311F044969D802DB295CF390806CB51

Function 02245940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7891daf32a5266651ae19f7b03712324b32dbc0a2e39b76616978c301214c70c
Instruction ID: 9d1ef134bc4a4d2cc1575f76cad31b1607ebfed9b71955852a5790428fd01793
Opcode Fuzzy Hash: 7891daf32a5266651ae19f7b03712324b32dbc0a2e39b76616978c301214c70c
Instruction Fuzzy Hash: F30144763102108F8704AF69E898D6DB7E6FBC9665354897AEB0ADB310CE35EC05D7A0

Function 022432F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49bfdddc2be16d9f902b92112e9c7804eeee0ced83937685cb089ccd0b1a308
Instruction ID: 66169aeb32326b0753824b250d8d5e85c7e118d09b9462b96dcc8f232b2484fe
Opcode Fuzzy Hash: d49bfdddc2be16d9f902b92112e9c7804eeee0ced83937685cb089ccd0b1a308
Instruction Fuzzy Hash: E7010C34A10244CBDB08FBB9E558B9E7BF2EBC8301F004929E902A7398DF795D55CB51

Function 02242A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab7ce6e5f9b58187c85587d5a24d58510626a0006f9b9e35077643802f45fdc
Instruction ID: 4524aa8c69f9d88f1b39b1176ab831c07b68fde0f21a4676d26fde4dbbcd32de
Opcode Fuzzy Hash: 1ab7ce6e5f9b58187c85587d5a24d58510626a0006f9b9e35077643802f45fdc
Instruction Fuzzy Hash: 02F046B16107008FC715AB79C40885BBBE2EB856543108AA9E54ADF725EF31EC088BC5

Function 02244237 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6596c81730116a7c758f4bc9e41c8d09e3f033c34718a848e41acd94827583
Instruction ID: 898e71071e3f435fef5cf6cfac68c01c5c5596699ece98a8fa884c809a1fd8f5
Opcode Fuzzy Hash: 0b6596c81730116a7c758f4bc9e41c8d09e3f033c34718a848e41acd94827583
Instruction Fuzzy Hash: 7EF0A7367002004FD309AE38A5542AD6B53EBC06507149539D4498B755DE74998B8A85

Function 02246388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2fd411a6469334e618dc9bed311b75b94ac708a15f9901fb6db763a6cd519a
Instruction ID: 9c9834b54bd64a201d6b3bbdeb23ea1cdf8e31e227854f150d10880bd6b7d45e
Opcode Fuzzy Hash: 3c2fd411a6469334e618dc9bed311b75b94ac708a15f9901fb6db763a6cd519a
Instruction Fuzzy Hash: DCF09070D04248AFCB40EFB4E8455ADBFF2DF45200B1185A9D94DEB252EA30AF4ADB41

Function 022441E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181d05190822f4a831c2779f79cbd7aa20b9354530ba1d95941667b9e102b32d
Instruction ID: 125c4eb4b74c226856c3eeac33835959c5c771cf67489b8f948e1198e31aae0b
Opcode Fuzzy Hash: 181d05190822f4a831c2779f79cbd7aa20b9354530ba1d95941667b9e102b32d
Instruction Fuzzy Hash: 78E0AB307002046FAB08A6AABC449BF769FFBC82A03504C2CF20CD7300CF216D0887A8

Function 02246398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bf3a3a2aed539643248fe8d5cf14e35aff14a9dcd310191df390340c77caae
Instruction ID: 4914fbbb87aaf4768541600a4750cdbe991ad8ca539fccdd38eee60ae4c8d35b
Opcode Fuzzy Hash: 72bf3a3a2aed539643248fe8d5cf14e35aff14a9dcd310191df390340c77caae
Instruction Fuzzy Hash: 17F08230E00208EF8B00EFB8D94599DBBF2DB44200F1085A89A0DE7344DA306F48DB41

Function 0224CFE0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755bbda4d1e9a9adea140a8334c49e9c49301ef5f8cc1d2508e07cff4fe0ab46
Instruction ID: 82816871824119b6c8f6435f2908431f57788d2ab5b15721ff05fc8e9cb89367
Opcode Fuzzy Hash: 755bbda4d1e9a9adea140a8334c49e9c49301ef5f8cc1d2508e07cff4fe0ab46
Instruction Fuzzy Hash: 06E0922E41E3415FEB2A06D061043683F649BE1319F0980ABD88A4B696CBAF598FDB51

Function 02241FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d728be9bf480d49cedb0c05df8bb1c184eb400f1a3abe522d871457f7cdb2a3
Instruction ID: b31d2daf1a36432f1e26cd4dd6566475179b4b2747475287a82cbb45e7c0f401
Opcode Fuzzy Hash: 2d728be9bf480d49cedb0c05df8bb1c184eb400f1a3abe522d871457f7cdb2a3
Instruction Fuzzy Hash: 2DE0DF767012418FC7045B78E86988E7BE6EFDA21531248ABE046CB362DE348C07C751

Function 02242D93 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff537b8fe002830115dfe02f0488949eefdb30b3c0788c0d6017228f3750cb63
Instruction ID: f820be305ddfbf8ac707c11b0b38c42f83a9c79d217655d4d7e779f539bf0a4a
Opcode Fuzzy Hash: ff537b8fe002830115dfe02f0488949eefdb30b3c0788c0d6017228f3750cb63
Instruction Fuzzy Hash: 1AF0E571B20015CFDB54EB6CD8045DD7BB1EB8832431042A5E219DB791DB708D03CB40

Function 02242DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69225f2d8e2c7029db3f3680c32520fe9b5196511b92201f2ea5919fdf19acdc
Instruction ID: 271e080301e95c750946926038102177a9db70db1f1a2fd70c5479b0e9679b02
Opcode Fuzzy Hash: 69225f2d8e2c7029db3f3680c32520fe9b5196511b92201f2ea5919fdf19acdc
Instruction Fuzzy Hash: 10E0C971F20118CF8B84EFBD95056DEBBF5EB48214B1141AAE619E7311EB709E018B91

Function 0224374F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a8268c3db0e9b5c97623cb2ca9a5fe487fe15c18effad6216493c6d43c9df2
Instruction ID: ae72c14788915c8e54abb736bbacdd42ac35a225efd13470e1293ec4cd6067f0
Opcode Fuzzy Hash: 14a8268c3db0e9b5c97623cb2ca9a5fe487fe15c18effad6216493c6d43c9df2
Instruction Fuzzy Hash: 32E0C2367015105B8328A666A4446BA27A7EBC856632C4026DE0DC3318EF208C0787D1

Function 02242008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0781695f6fb9ab38187f630acbea688b5d4aa7f11befaee3ed7731e0993a1723
Instruction ID: 4a9e700fc5fd1f8a14430ee6119558658d254270b40aea094746510e82d5afda
Opcode Fuzzy Hash: 0781695f6fb9ab38187f630acbea688b5d4aa7f11befaee3ed7731e0993a1723
Instruction Fuzzy Hash: 90D017357002149FCB146ABEE418C5A77EAEFC962230108AAE50AC7320EE79DC0187A1

Function 022466C8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c79998a97636dd2ec9a2bc2d3091f0d2bd87e0ede16840ff709bb284920be6
Instruction ID: 38d99ef856449876da58817fcbcb85858cd574aedc5df8d2704b5257a21b80e6
Opcode Fuzzy Hash: 02c79998a97636dd2ec9a2bc2d3091f0d2bd87e0ede16840ff709bb284920be6
Instruction Fuzzy Hash: DBD0A73230412197D74025AC701D2ED77C6CBC826378506B7F208C3355CD199D075380

Function 02246469 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5ee683072a9e3406b13fb54230ec8c277a8491500fdee1fe8b4a03ed65d1db
Instruction ID: 083842da392197908dc85144e83d53d7ef66aa075e2bd61a8f623d058f6c4d29
Opcode Fuzzy Hash: 2b5ee683072a9e3406b13fb54230ec8c277a8491500fdee1fe8b4a03ed65d1db
Instruction Fuzzy Hash: 1BD0A7757442004FC704AB68E0C54107BF2EB9C35070104B5E62CCF3B9DD24DC42C715

Function 02246478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7b670ec34786dc8e55fe5a2a6891c11c405c12fc4aae6899aafb3209610b7e
Instruction ID: bdf0d84519465e710290527747d91eef21a1318616e5905936ab4e0d31f8789e
Opcode Fuzzy Hash: 1e7b670ec34786dc8e55fe5a2a6891c11c405c12fc4aae6899aafb3209610b7e
Instruction Fuzzy Hash: 74C012343802048F8708EB6CE484825B7EAEB8C71431005B8EA29CB339CE20FC828A18

Function 0224CAA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eef64b21bee6fb4ab096293f97ce389ddec07c632b219f6f51b8816db23e82
Instruction ID: 80ee16b674efc3c59cfab831a294002cf9623c337b7927ee2505a979748b03d0
Opcode Fuzzy Hash: e8eef64b21bee6fb4ab096293f97ce389ddec07c632b219f6f51b8816db23e82
Instruction Fuzzy Hash: 34C08C9B9456C08EF203243028803803FA09BA6009FCA0482C88089263A108190B8220

Function 02245640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3579376111.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2240000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1471f8e212c536162742d6be7f1ed65b5036fcf3ac0074e568ea768675315745
Instruction ID: 5fa67efa385ea2cef3cef72fff627fe80bfb6ae9e93b82bf254c149b9640868e
Opcode Fuzzy Hash: 1471f8e212c536162742d6be7f1ed65b5036fcf3ac0074e568ea768675315745
Instruction Fuzzy Hash: 05B02B3011020E9787041555FC08C113B1EEBA00283400194AD0C00100AE23D8200080

Analysis Process: GamePall.exePID: 7124, Parent PID: 3524COMMON

Executed Functions

Function 012A4E20 Relevance: 13.2, Strings: 10, Instructions: 742COMMON

Download Yara Rule

Strings

(bq, xrefs: 012A586F
(bq, xrefs: 012A589B
(bq, xrefs: 012A55A3
(bq, xrefs: 012A5082
(bq, xrefs: 012A51CD
(bq, xrefs: 012A51F9
(bq, xrefs: 012A5655
(bq, xrefs: 012A55CF
(bq, xrefs: 012A5056
(bq, xrefs: 012A4EAC

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-668029649
Opcode ID: c16af83cd69f0009c4fec307651d5324db7e585fcd012736beb493de913871b2
Instruction ID: 5212baf46cbbc4692956a146f896216e8b495d21bb362f7818e9b692f4031c9b
Opcode Fuzzy Hash: c16af83cd69f0009c4fec307651d5324db7e585fcd012736beb493de913871b2
Instruction Fuzzy Hash: E252EF30B102558FDB09DF68D8546AEBBF2BF89301F1480AAE506EB391DB74DC46CB91

Function 012A1049 Relevance: .8, Instructions: 841COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75ec204671a639d5ae09e1f3cdb06c8f0244ef7aecfd0eefdd858eb8abf605a
Instruction ID: cbfa70bfdcd9164598f56cdb9bb3920822228fd670854cd2aabcad3133371f2c
Opcode Fuzzy Hash: c75ec204671a639d5ae09e1f3cdb06c8f0244ef7aecfd0eefdd858eb8abf605a
Instruction Fuzzy Hash: 94829F74640209DFDB06DFA4D658B6E7B77EB88300F104468E805337A9CA3EADD5DB26

Function 012A3750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 012A3786
(bq, xrefs: 012A37B2
(bq, xrefs: 012A3820

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: f7189311b4131f6e50a23e48b31064b6a41bb1d4cef33ed2edc064361c337ca7
Instruction ID: 8ebf0d9e2a70c3b0137cd107adce054b1f72bd0ec7408177f90f72dcc2157dbc
Opcode Fuzzy Hash: f7189311b4131f6e50a23e48b31064b6a41bb1d4cef33ed2edc064361c337ca7
Instruction Fuzzy Hash: 4F214B317142A04FD71AAF7D581413F3BEBEBC622131882AAD906C73D1DD388D0B8796

Function 012A3BE0 Relevance: 3.0, Strings: 2, Instructions: 462COMMON

Download Yara Rule

Strings

(bq, xrefs: 012A3DE5
(bq, xrefs: 012A419C

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 8d95ccbbd7d8450d04776c680636c48dc8bb4a6d434f4b8f4ec4fa328391bd1f
Instruction ID: 79bd960541c70b978bb9e6b5138bbbace2bd170d9aa6f3904b7962e3c84bdbc5
Opcode Fuzzy Hash: 8d95ccbbd7d8450d04776c680636c48dc8bb4a6d434f4b8f4ec4fa328391bd1f
Instruction Fuzzy Hash: 1AF17D30B102059FDB09DF79D85466E7BABEFC8300F148469E506EB3A5DE39DC468B91

Function 012A385A Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

(bq, xrefs: 012A3BA1

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 205cba941c017cfaa18ec011b76e830b8c9aad3d958eaa3eeb0c8e6f6e22943a
Instruction ID: 3c113759e5c2ea3f9e7afb2c26233f0ee3177a859fe3535a35077acc7b8d50c4
Opcode Fuzzy Hash: 205cba941c017cfaa18ec011b76e830b8c9aad3d958eaa3eeb0c8e6f6e22943a
Instruction Fuzzy Hash: 96C15C74B10219DFDB05DFA8D954AAEBBB7FF88300F108469E905A73A4DA39DC41CB91

Function 012A35E1 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

(bq, xrefs: 012A36B6

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 6d6450f7ae775b8de32add2c7673744db4e4d97096baa518acd6f442e3f5c51b
Instruction ID: 9c4f0a2aae1471856fdd285c6072bb8e693dba9715e04105ec4bad0d0c46872f
Opcode Fuzzy Hash: 6d6450f7ae775b8de32add2c7673744db4e4d97096baa518acd6f442e3f5c51b
Instruction Fuzzy Hash: B14112317102011FE71DEB39A81063F2BABFFC5250B2888A9D506DB3A4EE34DC4B8795

Function 012ABEAF Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

Te^q, xrefs: 012ABF75

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: a3ebdf3cb6fbe239c12bd1fa0e286123d830aebf90e8d42e1254dac2ad67f3f7
Instruction ID: ca32326b97beeec465a7d4bb43907f976f2c15e432dd62051282d126327270a3
Opcode Fuzzy Hash: a3ebdf3cb6fbe239c12bd1fa0e286123d830aebf90e8d42e1254dac2ad67f3f7
Instruction Fuzzy Hash: AF419C347101118FC748DF2DC988A6EBBE6FF88710F2581A9E50ADB3B5CA30EC058B80

Function 012ABEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 012ABF75

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 20fba3b610e9ebf2c9bcc5ec1c05dd762f74ecd3d41ffaba61e043f8992f632a
Instruction ID: 767f8f9ef0ebe778bb9897e0c11f06b637899aeda1ae4b151ddd6cf6c60037e0
Opcode Fuzzy Hash: 20fba3b610e9ebf2c9bcc5ec1c05dd762f74ecd3d41ffaba61e043f8992f632a
Instruction Fuzzy Hash: E7419C347102158FC748DF2DC488A2EBBE6FF88710F2585A9E50ADB3B5CA71EC058B80

Function 012A2B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

LR^q, xrefs: 012A2B35

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 27e470cbac9ed326f94cda9bcc642978f7344a5d1ca52894ab454db4e8fc3e82
Instruction ID: 5d744e24dcb531888fdfdb091f6359d040079421ae557f6414d414aa1e2fdad2
Opcode Fuzzy Hash: 27e470cbac9ed326f94cda9bcc642978f7344a5d1ca52894ab454db4e8fc3e82
Instruction Fuzzy Hash: D6311E707102058FD719AF36D45466E37B2EBC9A09B208178D14ACF3A5DE39DC43CB8A

Function 012A4237 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(bq, xrefs: 012A4295

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: f6292c1bbd587f1e3e5b8be6352aad0e14a9381b6426c40ad04db055331afde6
Instruction ID: f407fc927415e643cd5ea24cf64302e7923d2badbc58171e307c8b1f668e82de
Opcode Fuzzy Hash: f6292c1bbd587f1e3e5b8be6352aad0e14a9381b6426c40ad04db055331afde6
Instruction Fuzzy Hash: 952167327082904FE71EEB79AC2427E6B97FFC2210B4845AED405CF394DE619C0A8795

Function 012ACEC0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

0uU[, xrefs: 012ACEFA

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: 0uU[
API String ID: 0-3089149035
Opcode ID: 5e64ea2a268420ac6978f9412495a9a00fc872a11aa4db6075c2ff738ecb3af2
Instruction ID: e991a65c3bc881c7814d43fc06916e6e37d62034a46ee8443a32640a54d630f2
Opcode Fuzzy Hash: 5e64ea2a268420ac6978f9412495a9a00fc872a11aa4db6075c2ff738ecb3af2
Instruction Fuzzy Hash: 1C215570C24248DFDB15CFA8D54979DBFB6AB49314F2480AEE909A7240CB756945CF90

Function 012ACED0 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

0uU[, xrefs: 012ACEFA

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID: 0uU[
API String ID: 0-3089149035
Opcode ID: 8231a4264a23080727f1bb3f07e76dfb6562522370a6bba6c32e0cc6f84b9386
Instruction ID: 556e14845e4b23974e7c08d57172da718b99b025373c3949dee2817243ac66de
Opcode Fuzzy Hash: 8231a4264a23080727f1bb3f07e76dfb6562522370a6bba6c32e0cc6f84b9386
Instruction Fuzzy Hash: 72213570D20208DFDB15CFA8D549A9EBFF6AB48310F20806EE805A7340CB75A945DF90

Function 012A1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4d5f0019d2df7617a0d82c17d8378c9514d1447a3252ba71bc84eef5c5d0e4
Instruction ID: 528a812f5a4176f603e71a9f2e269dcf34906f6a934126b448a7346b1587170b
Opcode Fuzzy Hash: 9f4d5f0019d2df7617a0d82c17d8378c9514d1447a3252ba71bc84eef5c5d0e4
Instruction Fuzzy Hash: 4182AF74640209DFDB06DFA4D658B6E7B77EB88300F104468E805337A9CA3EADD5DB26

Function 012AB0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43be97231e9a6efa68da60aebc939fb4abf631f363ea23e74d2177265f782db1
Instruction ID: 7b40b40b1140056c769dd088d8d4630bae99f62a3c975639738cf710c67f9ec9
Opcode Fuzzy Hash: 43be97231e9a6efa68da60aebc939fb4abf631f363ea23e74d2177265f782db1
Instruction Fuzzy Hash: 81525930A11201CFC719EF28E59892DBBB2FB84306B64857DD90A9B365DB79EC85CF41

Function 012AAF90 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa87b93aca55ad825fc202f12146fe9127d9fac52b43d4ba5fd82955fcf790a
Instruction ID: 12f9272874f4991f98d6455be78073e1dfa0325516fba4be4ca3c5d836179dc4
Opcode Fuzzy Hash: aaa87b93aca55ad825fc202f12146fe9127d9fac52b43d4ba5fd82955fcf790a
Instruction Fuzzy Hash: 8F61CF315193944FDB07AB3C9864599BFB1EF83314B4985EBC084DB1B7EA649C4CCBA2

Function 012AC060 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ee6f2d7581282fbaf6105834b057fa65d75b720776068c80dd61e12eb4a150
Instruction ID: 3f64d7eeb689fc68f5ae9c3ac1926f88c2701fd4c7791db4e79331986c29124e
Opcode Fuzzy Hash: d9ee6f2d7581282fbaf6105834b057fa65d75b720776068c80dd61e12eb4a150
Instruction Fuzzy Hash: BF71E4716016059FC35ADB25CA5059BFBB2FF843043548A6E804A8FB64EF72F94A8FC0

Function 012AC070 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f220d6392350e37db21b7bad50abe9881a27b1b9b9ebd24126f11b51029d9c1e
Instruction ID: c8b148ec8ff523a313ba6d0b6814d67c0a9f5b2b2ab95a225f6958df486c5b62
Opcode Fuzzy Hash: f220d6392350e37db21b7bad50abe9881a27b1b9b9ebd24126f11b51029d9c1e
Instruction Fuzzy Hash: 2D71C4716106059FC359EB25CA5059BFBA2FF84314354CA6E804A8FB64EF72F94A8FC0

Function 012ABB99 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba49c1b57c3f0a96f2b5cdabdc4da5d0c450b3b84e2f7570c07cff6e0c1ff34
Instruction ID: 377028b2e171765980385c1a9d0a73412c366061b0a5aa4f9e8058c1be147d6f
Opcode Fuzzy Hash: 2ba49c1b57c3f0a96f2b5cdabdc4da5d0c450b3b84e2f7570c07cff6e0c1ff34
Instruction Fuzzy Hash: B081D830912605CFC722EF14E689919BBA2FB44306F55C679DA159B339C778EC89CF41

Function 012A5A91 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8cf3f98ea551268aa9f659d1e272bdccbe5d00574b76344df1050f238b32b17
Instruction ID: 75e5a64a63d62b69be35b0ec1ffe6d68152f8344ffe138207467626570725eee
Opcode Fuzzy Hash: c8cf3f98ea551268aa9f659d1e272bdccbe5d00574b76344df1050f238b32b17
Instruction Fuzzy Hash: FA515B75B102068FCB04DF68C994A6EBBF6FF88310B5141A9E50ADB365DB34DC45CB60

Function 012AC798 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae79494b3c311806668dec48cb9785ecd8fa39b43f3d3e309e1d0f5484c0134
Instruction ID: cc04bb1a0dc96cbebacdd2d6b9e91bd0c038ee1bfd939acf8800572546ef4095
Opcode Fuzzy Hash: 6ae79494b3c311806668dec48cb9785ecd8fa39b43f3d3e309e1d0f5484c0134
Instruction Fuzzy Hash: 3351D6716106019FC369DB24D95059AFBE2EF853043548B6EC08A9B764EF71F94A8FC1

Function 012A5240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029eecb82f78ef1f6a1b9948b2156dc377f1ae41cc5482ec914b6a33ccd2b802
Instruction ID: 983df55d038df50a3f017a3e8bec9b48ebb775fcd52aee4da0f70d6e45281328
Opcode Fuzzy Hash: 029eecb82f78ef1f6a1b9948b2156dc377f1ae41cc5482ec914b6a33ccd2b802
Instruction Fuzzy Hash: 03513B30A20219DFDB08DFA9D484AAEBBB2FF88311F548069E905A7395DB749C41CF90

Function 012AC7A8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04143d094b27a34d39b475de7e5d5ae753b5aa32324540e9304df522f3a7c44
Instruction ID: 60321539837b3e3a8ca5ec2787353cf65d4167c2fb9609c1aec67c475c0d77a7
Opcode Fuzzy Hash: c04143d094b27a34d39b475de7e5d5ae753b5aa32324540e9304df522f3a7c44
Instruction Fuzzy Hash: F651E4716106019FC369EB24D95055AFBE2EF85300354CA6EC08A9B764EF71F94A8FC1

Function 012A2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3c65a24de06e7ea7ab628881a7ed58faa18e1227d54b60f7a7176631341d70
Instruction ID: 0995f45bb0ef40158da2b2e94ffca5763cc261af1fc02dec0abbbaef58622351
Opcode Fuzzy Hash: 1d3c65a24de06e7ea7ab628881a7ed58faa18e1227d54b60f7a7176631341d70
Instruction Fuzzy Hash: 3E412970A10209CFDB14DFB9D9949EDBBB6FF88300F205529D905A7269EB399C85CF50

Function 012A2842 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14822b0c72e95514a923985eee68d8031966b5dbd9f1c6b84fd5c6d9de325cf6
Instruction ID: 07f5060250edaf106d0812e0ce204b08338ecad0bc77fc0a1c601c1951141d29
Opcode Fuzzy Hash: 14822b0c72e95514a923985eee68d8031966b5dbd9f1c6b84fd5c6d9de325cf6
Instruction Fuzzy Hash: 1C415E30E10209CFDB18DFB8D9946EDBBB6FF88300F245529D501A7268EB799885CF50

Function 012A5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dbf545c02e7d06f31e1b94b0f5c579e25586f81ce7126c1a20e5e892af5340
Instruction ID: 6c087ceaff212ada2d7944957495a526d31e6a7fa008a96612f905816d5aeb81
Opcode Fuzzy Hash: 80dbf545c02e7d06f31e1b94b0f5c579e25586f81ce7126c1a20e5e892af5340
Instruction Fuzzy Hash: A5411E74A10115DFCB04DFA5E4949ADBBB2FF88311F508065E905A7365DB38DC42CF90

Function 012A2C48 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd6d1a4767a56097afaac08fb034b9f9cf7b6c9175f93ce3af21ccd02811cef
Instruction ID: 4ca26fd757c3dffdb65282583603276d7ef41755b7b6df1101f95651f58bbf9a
Opcode Fuzzy Hash: 4cd6d1a4767a56097afaac08fb034b9f9cf7b6c9175f93ce3af21ccd02811cef
Instruction Fuzzy Hash: CD41067490020ACFDB05DFA8D9946AEBBB1FB48315F104179D505B73A5DB38AD85CF90

Function 012A4B50 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4f36bf2a910b74bfb2ef452e3ae9f8e7bfba010530d18ae93743dc820faee7
Instruction ID: 7b83b1fb90e9935e0e78b32498eb5854c25b0c5f371d188fbc69249d27bee2cb
Opcode Fuzzy Hash: 6a4f36bf2a910b74bfb2ef452e3ae9f8e7bfba010530d18ae93743dc820faee7
Instruction Fuzzy Hash: 572106302043415FD719EB38DC50A6EBBA6FF81300F044A69D0058F2A5DBB5AD8D8B95

Function 012AB0A0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660824e65ebbb52249d6ac2dff5accf7f44df7fdfde8575d2ebbb53836ccf255
Instruction ID: 709e6401a0fcb9c78b3ff3ae4550a92ccf82897772b045bb0ea11676e1726931
Opcode Fuzzy Hash: 660824e65ebbb52249d6ac2dff5accf7f44df7fdfde8575d2ebbb53836ccf255
Instruction Fuzzy Hash: 6931E0306102158FCB19EB78D9846ADBFA6FF85300F54862DC10AAB3A5DF75AC49CB80

Function 012A2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d62a676d02bd57d68f937131f633ae902d2c26209712fd6cdcf1d6307616511
Instruction ID: 7f30cc5ba216a3fc3cb4f1980635df744206d4919f55546f0639963a61126155
Opcode Fuzzy Hash: 5d62a676d02bd57d68f937131f633ae902d2c26209712fd6cdcf1d6307616511
Instruction Fuzzy Hash: 5D31077490020ACFDB05DFA8D994AAEBBB6FB88314F104139D505B7365EB38AD85CF90

Function 012A288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f123817c2c65488af73442070d562147a69527d7936eec8b54dd61cd00c14e0
Instruction ID: 7f3d51aa0f30408cad08ae26e34054fb263b3002f9b7a30a54c55f147895069b
Opcode Fuzzy Hash: 0f123817c2c65488af73442070d562147a69527d7936eec8b54dd61cd00c14e0
Instruction Fuzzy Hash: 32314030910209CFDB14DFB9D9945EDBBB6FF88340F245129D505A7268DB799C85CF10

Function 012A4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a244c4902d762e99e06ab2acad9e5af89ac739950b0f7a0f28d0a09e3d889f4b
Instruction ID: f706c990858e2552e8403cb5ebbabda0149844f7378dd8f701e7c404ae1d393d
Opcode Fuzzy Hash: a244c4902d762e99e06ab2acad9e5af89ac739950b0f7a0f28d0a09e3d889f4b
Instruction Fuzzy Hash: 992151302002025FDB19EF79ED40A6EB7A6FBC4310B448A38D4158B368DF75ED8D8B95

Function 012A5C42 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905fdf1cd85b92d73f9e083f54b3edcf2ed32da33cd698037b230d032c75b224
Instruction ID: 8e3f83eb05b918234cfcd1ec316a053d097b203b5efade19973af2b19a08c7f3
Opcode Fuzzy Hash: 905fdf1cd85b92d73f9e083f54b3edcf2ed32da33cd698037b230d032c75b224
Instruction Fuzzy Hash: 47219D71A042498FCB11CFA9C598ADDBFF2BF49310F1501AAE441EB2A2CB755D45CB60

Function 012A2908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6544778618c9c0053127eabe95339209a643d23123e2b53546ae1a169525ab9b
Instruction ID: ca79ddedd1ee311713bfa06cb0ef6f687dbdc2fee25e7be31a321f1a97c096dc
Opcode Fuzzy Hash: 6544778618c9c0053127eabe95339209a643d23123e2b53546ae1a169525ab9b
Instruction Fuzzy Hash: A1212870E10209CFDF14DFA9D9909EDBBB6FF88340F108129D915A7268DB789845CF21

Function 012A6888 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4da0ea10c647b443ba5d5ed411e0a152bab86848a18c4ec0f2fe6255c6762c6
Instruction ID: fdbb5a6cf9e35fc439fa1839fe7e76b3277b324daa9a88169f674553f700137d
Opcode Fuzzy Hash: a4da0ea10c647b443ba5d5ed411e0a152bab86848a18c4ec0f2fe6255c6762c6
Instruction Fuzzy Hash: DB21AF71910207CFDB10DFA4C9487EEFBF2AF44304F9880AAD505A7252DB759E49CB51

Function 012A5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea69339e4075a67ea651589cfce9068e211fc5ceaa2a5cf417140f7b25b52d7e
Instruction ID: f607aeb680d7328d65e464df632bf6ac1a6530144b50193485d33b848f5e01c8
Opcode Fuzzy Hash: ea69339e4075a67ea651589cfce9068e211fc5ceaa2a5cf417140f7b25b52d7e
Instruction Fuzzy Hash: 51216A35A002198FDF10CBA9C588ADEBBF2BF4C310F6000A5E505BB361CB75AD44CBA0

Function 012A296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1988ae2179d955ecafda8a6ed7f073a8720295817f67665976beafaba57c2
Instruction ID: 7c0982f1925893928d9085bec6c4cd82cd05f51229e2ccc5c6a4b675c5bc8a9f
Opcode Fuzzy Hash: 7dd1988ae2179d955ecafda8a6ed7f073a8720295817f67665976beafaba57c2
Instruction Fuzzy Hash: 7421E774A10209DFDF14DFA8D9849ADBBB6FF88300F204129D909AB364DB79AD85CF50

Function 012A41A2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442904c0e0bb1c96428d005fdf7cb7fa66a9690b8547361653509709624bb656
Instruction ID: cd40fae2e593f2d30e45f3746a78ae6c4e1fad9e10bab87017df2afc78000bc6
Opcode Fuzzy Hash: 442904c0e0bb1c96428d005fdf7cb7fa66a9690b8547361653509709624bb656
Instruction Fuzzy Hash: 7D0147327082915FD70EAF759C701BE3FBAFF86211764089BD405EB386CE214D0A8766

Function 012AC000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22320e47ce7bec96332e8360c6e31b887710735d906802acdb5932f6eaf81b18
Instruction ID: 096b6d3283e98291e785666800813aff0f11db1944beb8ac18255479b92a83d6
Opcode Fuzzy Hash: 22320e47ce7bec96332e8360c6e31b887710735d906802acdb5932f6eaf81b18
Instruction Fuzzy Hash: 081165303101168FCB05DF28E884D99BBB2FF85B14B1585A9E50ACB376CB31EE498B80

Function 012A32E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b100ed84e89b305a0dbb598b00949630601007c2ba65b838ed650ad5d057c4fb
Instruction ID: 82c564f30dd704d97f60387d0a218eb81077cec1ea1964d67c531e9fb75b9edf
Opcode Fuzzy Hash: b100ed84e89b305a0dbb598b00949630601007c2ba65b838ed650ad5d057c4fb
Instruction Fuzzy Hash: C811C034A10204CFCB18DFB4ED59BAD7BBAAB89305F405429D802E7389DF7A5851CB50

Function 012A5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1605608115f5cfbba9ba4d93648c573bc0981b21ed0a230ed2975e0f0df1dc2a
Instruction ID: 6c15e057fe08178469115e5f8815a4d50c19a08f72f6c7125042a4357a177e90
Opcode Fuzzy Hash: 1605608115f5cfbba9ba4d93648c573bc0981b21ed0a230ed2975e0f0df1dc2a
Instruction Fuzzy Hash: A20168763101209F8718DFADFC9486EB7AAFBD9661310957EEA05C7354CE35DC0587A0

Function 012A2A80 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3be4bdb443263b57cf07dce319a831af7d932d29b84a530de8ed091003142d8
Instruction ID: 752e0535fdf167d3a58acd18c29aa39995378dc8a772b665c8f5b62a1ddf0a41
Opcode Fuzzy Hash: e3be4bdb443263b57cf07dce319a831af7d932d29b84a530de8ed091003142d8
Instruction Fuzzy Hash: 58019E746503108FC319DF38C90599A7BF1FF8160471089AAD149DF7A5DB31EC088BC0

Function 012A32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2936d49b2369fbbb6bb620baa40264e212c41dfdc47fff340b0f4bbbcad615f3
Instruction ID: d1e339192cb17a6802d86b5c7107e74c7bdce6aa0481a77a4d868d7da1973583
Opcode Fuzzy Hash: 2936d49b2369fbbb6bb620baa40264e212c41dfdc47fff340b0f4bbbcad615f3
Instruction Fuzzy Hash: A9015E34A10204CFCB14EFB4EC587AE7BBAEB99301F405428D902A7389DF395814CBA0

Function 012A6388 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab0188de84ec30442f8b80419b305da30560729b2fa80f9cfcff5e9cba577af
Instruction ID: a22a83e58d813edc138a3f7065800e0f11da0c35a832baa6d09e6ed1e5f020db
Opcode Fuzzy Hash: fab0188de84ec30442f8b80419b305da30560729b2fa80f9cfcff5e9cba577af
Instruction Fuzzy Hash: 2FF0A930E00349EFCB84EFA8D8405ADBBF1EF95210B2082AAD448E7250E6344E45CB41

Function 012A41E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4188e5c90681cfa622ab4a8fec7e7a49a2fc0df70fea158e3e7b87f970a1fa
Instruction ID: 3fe4f96892dc34739abc18570e7ce515b83d5182957422043e3603393cba28ea
Opcode Fuzzy Hash: 9f4188e5c90681cfa622ab4a8fec7e7a49a2fc0df70fea158e3e7b87f970a1fa
Instruction Fuzzy Hash: D3E022317042252FAB2CEBAABC5097FB69FFBC8160754092DE009DB304DF216C0947B9

Function 012A593E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b2ec018f4d5214588086e4400babb6ac3fb5ac8a1355bdc40d3f3c5eba888a
Instruction ID: aadf0fe64a2511af32f5962fb30365a3033e6bca3d4fae8541af0c456c73aeca
Opcode Fuzzy Hash: c2b2ec018f4d5214588086e4400babb6ac3fb5ac8a1355bdc40d3f3c5eba888a
Instruction Fuzzy Hash: 98F089753001109F8715DF69E584C6D77AAFBC9255310857AE505D7364CB35DC0287A0

Function 012A2D92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e142c938f0ca5a862d10c0ee3efff6ad42c27a0cfc7a55c7a015c820d4cff4f2
Instruction ID: f4eccbb665e8fa3f8906a6cac66e1cbbfa8a3fc5d50addd6deec9b508cbcde2c
Opcode Fuzzy Hash: e142c938f0ca5a862d10c0ee3efff6ad42c27a0cfc7a55c7a015c820d4cff4f2
Instruction Fuzzy Hash: A7F05874A241198FCB48EFB8C9016E9BBF5FF48700B1081AAD619EB711EB709901CB91

Function 012A6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bb51b16ab1fa0c94744bbfa11275963922b7a76b5b5cc0810bfe9ca65d11ff
Instruction ID: 12a36b0ce835b43727b840adef5af486697196afd171c19ddc949795a3d11543
Opcode Fuzzy Hash: 79bb51b16ab1fa0c94744bbfa11275963922b7a76b5b5cc0810bfe9ca65d11ff
Instruction Fuzzy Hash: 57F01C34A00209EF8B44EFA8D9455ADBBF5EB94200F5092A89908E7344DA356E459B51

Function 012ACFE0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdc57ecbf9e8ace771dbd32f710fcee2dd6a976b2c57b322686631fe5526689
Instruction ID: 4c6648699ae6c2921ff5ab20c2c89f205123ffe8a8713910dccdd93bd3a29a44
Opcode Fuzzy Hash: 3bdc57ecbf9e8ace771dbd32f710fcee2dd6a976b2c57b322686631fe5526689
Instruction Fuzzy Hash: ECF0233502D3864BDF214655B11D3313F585F42315F4DC0DFF5484B9A3DAA58148EB92

Function 012A1FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975130cf286da8ca578faef4d50bb07ba4c075abc5d05d2dec548faa80daf986
Instruction ID: c66a611e1f01bb797beae19c2bcc556e36891d78b803f11aab118fe1f0a1fcfb
Opcode Fuzzy Hash: 975130cf286da8ca578faef4d50bb07ba4c075abc5d05d2dec548faa80daf986
Instruction Fuzzy Hash: E4E092357443804FCB165B399858A997FA9DFC7715B0504EFF006CB3A6D9B28C058721

Function 012A2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f110bcda033997d3df72d199900ea5e39f00070c34be78493cc50cb7540244da
Instruction ID: fb7d42ec8856ee0f625edd431b968e850a25a9718007361b31479cf2fa685ed1
Opcode Fuzzy Hash: f110bcda033997d3df72d199900ea5e39f00070c34be78493cc50cb7540244da
Instruction Fuzzy Hash: 1CE0ED71E20118CF8B84EFBCD5056DEBBF9EF49310B5140AAD519E7311EB709D018B91

Function 012ACFF0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b4183853b0fcc1e11bc209ee4f59486dc691beabb65a08d5ada2a18db605af
Instruction ID: 8e5661d35ee38d5a6e99c4b68b64e692b3a245008eadc98cbba5bd74d363e722
Opcode Fuzzy Hash: 78b4183853b0fcc1e11bc209ee4f59486dc691beabb65a08d5ada2a18db605af
Instruction Fuzzy Hash: 31E0CD3407930547FF100199A11E3703E494B40359F54C09EB50D46991DAF79089FF50

Function 012A66C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9a7f5bce1480a14743f81b8fd167229c0cd5b6d85b00521d5e98297e913d32
Instruction ID: 8473fb8aab7120fc895c5a96144a091177faee60ce45b1cae18be1bdcf42382f
Opcode Fuzzy Hash: 1b9a7f5bce1480a14743f81b8fd167229c0cd5b6d85b00521d5e98297e913d32
Instruction Fuzzy Hash: 38D0A7313142609FC7099A6CBC200E937DDEFCB12135A12BBF149C7315CD664C075755

Function 012ACAA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4d21bfcaf307a65842a24b3fea097e3b588cc0877bbb925a6dc5a9b993e9dd
Instruction ID: 58952a1845acff9a2cb52f21bef2561f7003742429fe187f961eb3cdb66ec8f2
Opcode Fuzzy Hash: fa4d21bfcaf307a65842a24b3fea097e3b588cc0877bbb925a6dc5a9b993e9dd
Instruction Fuzzy Hash: 7BD05E3521D3C28FC3034B3809352647FB09BAB110BA940DBE2C5DE1A3D10418139322

Function 012A6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ad779d10c922070e459dad5282ea30624e60e027f73f9c8bd0a8919a762141
Instruction ID: 77bd76816ea66d88f69270efd1b29a213273979d2162d5e12b0e49f6c8f0f815
Opcode Fuzzy Hash: b4ad779d10c922070e459dad5282ea30624e60e027f73f9c8bd0a8919a762141
Instruction Fuzzy Hash: FFC012753842088F8708DF6CE480826B3EEFB8C71071000B8E619CB339CE24FC828A18

Function 012A5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3519726751.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e51fef816637c13dce52cf11c43940b108345eb9203508fbe7a012abc896574
Instruction ID: dc491302166ed9642b10484ab29ac0549d32aa093495de9e88090971ac04d1b5
Opcode Fuzzy Hash: 1e51fef816637c13dce52cf11c43940b108345eb9203508fbe7a012abc896574
Instruction Fuzzy Hash: ABB02B3011020A5B97100959BC095123B1DEB505183400194AF0801100AD23C4204180

Analysis Process: GamePall.exePID: 1436, Parent PID: 3524COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 0120E598 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0120E602

Memory Dump Source

Source File: 00000010.00000002.3636335996.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1200000_GamePall.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: abcaebd4a665159ed780db131782731bde456dae685f2802d2d51adf922b34ce
Instruction ID: 1709e6b2c6904c3cddc0c906198463e66e250e59d32c28dccbd1845a27159f0b
Opcode Fuzzy Hash: abcaebd4a665159ed780db131782731bde456dae685f2802d2d51adf922b34ce
Instruction Fuzzy Hash: 5001A2313101185FD3049BA9E8919AE7BBAFFC9350B508529E109C7361CE329C058BA0

Function 0120E5A8 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0120E602

Memory Dump Source

Source File: 00000010.00000002.3636335996.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1200000_GamePall.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 457acb6a2f02bce858e30f0a5cab10db42fd1b668ae0a1d8f5cf99b3a601ebe0
Instruction ID: d2dcf4ac8387753cb03d63b8659b9b3a2158132b59911e0dd8f77a34550e391d
Opcode Fuzzy Hash: 457acb6a2f02bce858e30f0a5cab10db42fd1b668ae0a1d8f5cf99b3a601ebe0
Instruction Fuzzy Hash: 27F04F313001189F8704DB9DE8959AF7BAEFFC93607504529E509D7360DE319C048BA1

Function 00FBD6B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3577211454.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fbd000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96522753287e0e8c2452407cc0bc5edae71877ac95a1708687577c04442d37a1
Instruction ID: 22e060ca95954af0bffe94bfff2b40c73dc9871b47d20c65e8ca5b9c77bc0824
Opcode Fuzzy Hash: 96522753287e0e8c2452407cc0bc5edae71877ac95a1708687577c04442d37a1
Instruction Fuzzy Hash: 7121F275904204DFCB04DF15C9C4BA6BBA5FB84328F34C569E8094B292DB36D846DE62

Function 00FBD0EC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3577211454.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fbd000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a2d2e36a92c9a51314f29297c09b5770b1e65e4839aa97cd3a6d79936c90e0
Instruction ID: dbe8a22b1a67749a9a0ad3d7421b07717ccb975710c0bb3a2680d0db3a255cc4
Opcode Fuzzy Hash: 68a2d2e36a92c9a51314f29297c09b5770b1e65e4839aa97cd3a6d79936c90e0
Instruction Fuzzy Hash: 2D2124B1A04240DFEB04EF19D9C4B66BBA5EB94324F20C66DD9094B391D33AD846DA63

Function 00FBE1DC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3577211454.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fbd000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71b0f923ffda25fcff72380d1f638c640d03ad1c52ee80979dca9861baafe18
Instruction ID: dd9b1b842065916025c524a878d9842a7bdcc010dc2578a46cb92031f8e71c39
Opcode Fuzzy Hash: b71b0f923ffda25fcff72380d1f638c640d03ad1c52ee80979dca9861baafe18
Instruction Fuzzy Hash: 072157B1E04240DFDB04EF24D6C4BA6BBA9EB94314F30C67DD9094B381C33AD846DA62

Function 00FBD6AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3577211454.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fbd000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5bcd250173e60a202ac4a66e205bc72807a2a2e6d951ceb8b9f5b6d6d94988a1
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 6011D075904240CFCB01CF10C5C4B55BF61FB44328F34C6A9D8494B252D33AD80ADF62

Function 00FBD0E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3577211454.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fbd000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 00e620f5f53e015add3e21b599abf8252fb70daff686c14caeea71db1c719707
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: 7211CEB59042808FEB15DF18D5C4B55BBB1FB94324F24C6AED8494B652C33A984ACF52

Function 00FBE1D7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3577211454.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fbd000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 9fa29a22a23b0ca86aefd876e0655612031e5949b8f5d10ee175bd776b96f4e6
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: B511A0B5904280CFDB15DF24D5C4BA5BFA1FB55324F24C6ADC8494B692C33AD84ACF52

Analysis Process: GamePall.exePID: 5768, Parent PID: 3524COMMON

Executed Functions

Function 031E4F58 Relevance: 11.9, Strings: 9, Instructions: 611COMMON

Download Yara Rule

Strings

(bq, xrefs: 031E55CF
(bq, xrefs: 031E55A3
(bq, xrefs: 031E589B
(bq, xrefs: 031E5082
(bq, xrefs: 031E51CD
(bq, xrefs: 031E5655
(bq, xrefs: 031E51F9
(bq, xrefs: 031E586F
(bq, xrefs: 031E5056

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-1872187367
Opcode ID: 199de31da7bea5d6c7a8b5bdb5fcc4b0fd9160b9e01d53d5c1637d24d971e929
Instruction ID: 0f5ae5527b480b5c88e905b6584dede5c691185cf1fc4e8fd1a85634775ad638
Opcode Fuzzy Hash: 199de31da7bea5d6c7a8b5bdb5fcc4b0fd9160b9e01d53d5c1637d24d971e929
Instruction Fuzzy Hash: 40328E34A016188FDB09DF69D454AAEBBF3AF8E305F248169E405AB391DF35DC42CB91

Function 031E3860 Relevance: 4.4, Strings: 3, Instructions: 691COMMON

Download Yara Rule

Strings

(bq, xrefs: 031E419C
(bq, xrefs: 031E3BA1
(bq, xrefs: 031E3DE5

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 3f272b747711de75afd8c55df3dcd87e23aa56ad2e2442f97cd495c0a2592dab
Instruction ID: 8630063b12e3097b6517517800d070936f2dd9b066ad7f791b25ed24f4e9c554
Opcode Fuzzy Hash: 3f272b747711de75afd8c55df3dcd87e23aa56ad2e2442f97cd495c0a2592dab
Instruction Fuzzy Hash: 1B426F38B012149FDB05DBA9E854AAEBBBBEF8C310F148469E416A73A4DF35DC41CB50

Function 031E1049 Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62831c26d9d2ef7483572c784f6046c900ded6140521e71c087c12ac0c7d5b55
Instruction ID: 66b005233d408ea03309914d02ffa8d7c07de1a88d63c248522111af67b68eef
Opcode Fuzzy Hash: 62831c26d9d2ef7483572c784f6046c900ded6140521e71c087c12ac0c7d5b55
Instruction Fuzzy Hash: F182A074641209DFDB06DBA4E654B7F7B7BEB8C300F205454E801337A8CA3AAD95DB26

Function 031E35F0 Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

(bq, xrefs: 031E37B2
(bq, xrefs: 031E36B6
(bq, xrefs: 031E3786

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 06eedc4f6c84506f1ccdfe559cf985f72c55712bf52bedd0dc3495eb9abcb98e
Instruction ID: 4ab3031449109a21aa215e4457ec41ba1178053e75f3fb59e2b0058652acb6bd
Opcode Fuzzy Hash: 06eedc4f6c84506f1ccdfe559cf985f72c55712bf52bedd0dc3495eb9abcb98e
Instruction Fuzzy Hash: 1D4158357056000FE71DBB39986053F66EBEBC9260B688A78D416CB3E4DE34DC078795

Function 031E2A80 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

LR^q, xrefs: 031E2B35

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 65539e774b906e1c9af5ed8fe9e28534bc217465e79936fe3bf90e29df0709a2
Instruction ID: fb0cb9cd57ec9fcdea8a3d70403b3fdc9ac5de2fea55833275a84d4c6401bc14
Opcode Fuzzy Hash: 65539e774b906e1c9af5ed8fe9e28534bc217465e79936fe3bf90e29df0709a2
Instruction Fuzzy Hash: 04518A747116058FC719EB39D45896A77F6EFC9A14B2089B8D04ACF3A4DB36DC038B86

Function 031EBEAF Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 031EBF75

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 799a52ca2591662fa3f7d547e0388c1eb2d56a67830b6c941b591aa85003fafe
Instruction ID: bbb0058045c374ecfbea1d6437d8e01fe5c12255437c04105ab77aca7b3e53a8
Opcode Fuzzy Hash: 799a52ca2591662fa3f7d547e0388c1eb2d56a67830b6c941b591aa85003fafe
Instruction Fuzzy Hash: B7418B387002148FD744EF29C598A6EBBE6FF88710F2585A8E406DF3B5CA30EC018B80

Function 031E2B10 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

LR^q, xrefs: 031E2B35

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 90c259dc6b2c738d858b59606e46e8388ff241f08163dd44b30d4d3809a3a68b
Instruction ID: a32011d7435b18d09096eb22a79a15591590400750d2cbab46b0cdd32da94769
Opcode Fuzzy Hash: 90c259dc6b2c738d858b59606e46e8388ff241f08163dd44b30d4d3809a3a68b
Instruction Fuzzy Hash: EC310C757112058FD709AB36D45466E37A7EFC9A04B2085B8D14A8F3A4DE35DC438B8A

Function 031EBEC0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Te^q, xrefs: 031EBF75

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 3897a905c8f3b9b51036937976c07a09a9d867bfe163b9b2aa3096818771c773
Instruction ID: f052013e97196e735b62801bdcaa880b785ff48e1150e9f0fdf128f33a37b32c
Opcode Fuzzy Hash: 3897a905c8f3b9b51036937976c07a09a9d867bfe163b9b2aa3096818771c773
Instruction Fuzzy Hash: 2A313A387106148FD744EF2DC598A6EBBE6BF89710F2585A8E506DB3B5CA71EC018B90

Function 031E2B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LR^q, xrefs: 031E2B35

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: d540aacaf7f2f8b863a2668b4dff67d11e6057060989c6634064328b181d53f0
Instruction ID: 7ee11a7fbf6c3dd11e803f9b5a3b979d81922ce8094c5d2c1726c16279a93b68
Opcode Fuzzy Hash: d540aacaf7f2f8b863a2668b4dff67d11e6057060989c6634064328b181d53f0
Instruction Fuzzy Hash: 6F310C757112058FD709EB36D454A2E37B7EFC9A18B2085B8D14A8F3A4DE35DC438B8A

Function 031E4248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(bq, xrefs: 031E4295

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 385d72de7ce8ecb072a7e942874920ad0ce90ad05132e7cb0047ade37b12ab22
Instruction ID: 8ac69f1d86bc2a008113051266c8b437bf86336b730f3d079314a0819787f28e
Opcode Fuzzy Hash: 385d72de7ce8ecb072a7e942874920ad0ce90ad05132e7cb0047ade37b12ab22
Instruction Fuzzy Hash: C8019C367092804FD30BA739642417E7BA3EFD655074885AED441CF395CE259C4A83C6

Function 031E37F0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

(bq, xrefs: 031E3820

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: ed4a3de1fdb2d549f34f577523954126ea3ba8b9161e0b209397cdf468fbdc66
Instruction ID: 512b1f41f7d678641a2f4adb89d11f364646dcd36347e91c68c6f5fa81514868
Opcode Fuzzy Hash: ed4a3de1fdb2d549f34f577523954126ea3ba8b9161e0b209397cdf468fbdc66
Instruction Fuzzy Hash: 92F059327052505BE709AB79681093E3AAFDBC9230B1887A9E915C73D0DD658C064391

Function 031E1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e5d59ad880e5e1afc6525cb74ddb011d7e3fa7ec525cd1e77f5864f59d3f07
Instruction ID: 27d9f71a86d896ca6567d1edb5ea2dec1359b13195613aa7d02ab823150a4025
Opcode Fuzzy Hash: 23e5d59ad880e5e1afc6525cb74ddb011d7e3fa7ec525cd1e77f5864f59d3f07
Instruction Fuzzy Hash: B8829074641209DFDB06DBA4E654B7F7B7BEB8C300F205454E801337A8CA3AAD95DB26

Function 031EB0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10782806734a49ac901f3ec4aea22e5541a12e4050eab687c3884cf9319925af
Instruction ID: 6dcda4670c82abb4d1e9a8ef61c66b3bcd0cf38b0c545176a80eb1cd9044c8b4
Opcode Fuzzy Hash: 10782806734a49ac901f3ec4aea22e5541a12e4050eab687c3884cf9319925af
Instruction Fuzzy Hash: B3522734A06200CFC719EF64E5589697BB7FB89305F68C4A9D8068B3A5DB3AEC41DF41

Function 031EBB9B Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90bef5c978fca7914b55ed001f3334c9a02f4cf60798e4eaf1c2689cd61479a
Instruction ID: 9bf9886fa3efe3678844797938efbcd6b110e9a1faa97f937f625da71e94c1d4
Opcode Fuzzy Hash: a90bef5c978fca7914b55ed001f3334c9a02f4cf60798e4eaf1c2689cd61479a
Instruction Fuzzy Hash: 5781C570A07205DFC714DB14FA89929BBABFB88304F19E5A8D9158B329C779EC49CF41

Function 031E385B Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75729fbd41049455d06b75c1d883d8fa047166a83ef3312181558396f687c3f7
Instruction ID: 25844b85f37f45c6db392de817b1b5be6823e80bbb6a234c75401e72293ea9b4
Opcode Fuzzy Hash: 75729fbd41049455d06b75c1d883d8fa047166a83ef3312181558396f687c3f7
Instruction Fuzzy Hash: 0B613A38A11218EFDB05DFA4E994AADBBB6FF8C310F148465E815A7364DB35EC41CB50

Function 031E5AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38f0b4f9f403f2d0c381843d26b6d9101a421834fd52049632ce20a84b6c57b
Instruction ID: a933661eb3eaa5fef0cba8d27925e4fbdd668e1ea5162ca1d553766c7051c751
Opcode Fuzzy Hash: a38f0b4f9f403f2d0c381843d26b6d9101a421834fd52049632ce20a84b6c57b
Instruction Fuzzy Hash: E1513C74B006058FCB04DF69D998A6EBBF6EF8D314B1141A8E50ADB361DB31EC45CBA0

Function 031E5240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92f8725f061ee392b3843629bc9baae3ac017f9b6fedd2a2ecdf0461daee91d
Instruction ID: bdc12f4620b725aa2fe2c3c5c849bec7d0cd2abcbb9e5f3485d22aa505db1f70
Opcode Fuzzy Hash: c92f8725f061ee392b3843629bc9baae3ac017f9b6fedd2a2ecdf0461daee91d
Instruction Fuzzy Hash: 7B514934A01618DFCB08DFA5D884AADBBB3BF8D315F288469E815AB354DB35DC41CB90

Function 031E5A91 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ecf4e070728ba79b6192dba8d761855d93f62fa079992c7cb1c17f5ea2e91c
Instruction ID: 55f6429a65b808bedd214b006346ac986a00e4f711c09c8255a62185dd0bea57
Opcode Fuzzy Hash: 10ecf4e070728ba79b6192dba8d761855d93f62fa079992c7cb1c17f5ea2e91c
Instruction Fuzzy Hash: 6B418075B006068FC704DF68D998D6ABBF6EF8D214B1580A9E509DB372DB31DC05CB60

Function 031E2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7727e6c945b8f830489d5963b8cfffa72d7427e65c2c5fe77ef9812a79a5b5
Instruction ID: 22d8704d0794d96b7f58e5a75e48dabea3dae0f45d7a62e60ee4d7a2aa2d45b5
Opcode Fuzzy Hash: ee7727e6c945b8f830489d5963b8cfffa72d7427e65c2c5fe77ef9812a79a5b5
Instruction Fuzzy Hash: C1410974A11208CFDB14EFB5E9949ADBBB6FF8C300F149529E901A7264EB359C46CF50

Function 031E2C48 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41adbcace480131cd7c041de867aa5846e0760c503059e498531e02487e7f6d0
Instruction ID: 85ac647a922173aa42c24ff7d77acb4224e734dd77f0474fd3f0bb667345ba43
Opcode Fuzzy Hash: 41adbcace480131cd7c041de867aa5846e0760c503059e498531e02487e7f6d0
Instruction Fuzzy Hash: BD418A74A012098FCB02DFA8E8946EEBBBAFF4C314F145565D504A7364DB369D42CF90

Function 031E2843 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d23a85b5de03f99d08c5fa52bf0ef574712cd85ce9f7f8d71ee0c71ccdae63
Instruction ID: 7b0d96b70ab9fc5175e90663ca8200503cbc7c9eb89d8e22cdaa1245ccc904b3
Opcode Fuzzy Hash: 80d23a85b5de03f99d08c5fa52bf0ef574712cd85ce9f7f8d71ee0c71ccdae63
Instruction Fuzzy Hash: 34314C30A11208DFDB04EFB4E994AEDBBB6FF8C300F149529E501A7264EB359886DB50

Function 031E5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5266357622f6bb11ef67aefbcb49573475dc0ff5e3c65758a63bb6076c5010e7
Instruction ID: 80bf3c3a9c04467f2525ae28932822189e97ce50e83e1c09f2275222afa5bd81
Opcode Fuzzy Hash: 5266357622f6bb11ef67aefbcb49573475dc0ff5e3c65758a63bb6076c5010e7
Instruction Fuzzy Hash: 36411A74A016189FCB04EFA5E894AADBBB3FF8D315F248465E815A7360DB35DC42CB50

Function 031E4B50 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3376aa1379eabaa463631502844f25f6ae1af9c6932f5cf20e17f37e19a779c0
Instruction ID: b5ef10cd4e0002b475b55d035e29c955e1e0fa767dc44e73029dbaaae9693f49
Opcode Fuzzy Hash: 3376aa1379eabaa463631502844f25f6ae1af9c6932f5cf20e17f37e19a779c0
Instruction Fuzzy Hash: 532146302057415FCB06EB39E994AAEFBA6EFC8210B448A79D0058F364DF60ED4D8B94

Function 031EB0A4 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5dc279fbb2db466c0ec0da98bf413fa2327681d4b4b0364962deca315436d1
Instruction ID: d126effce2e9f8d5b3ee11707acf07af551d98ac871fcd18afd16cfcec927139
Opcode Fuzzy Hash: 9f5dc279fbb2db466c0ec0da98bf413fa2327681d4b4b0364962deca315436d1
Instruction Fuzzy Hash: 4B31D4346113188FCB04DB78E9946ADBBF6FFC9314F448629D0069B394DF759C098B91

Function 031E2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ba6e6812cc874e3ef2db967d84bfd658d5dfd19e8d81eabcbddf51c12f5337
Instruction ID: 58bbba8350dd4e8c43d711da68b2f1b5f6cd751d3a2194bf812ab0bca5007298
Opcode Fuzzy Hash: 91ba6e6812cc874e3ef2db967d84bfd658d5dfd19e8d81eabcbddf51c12f5337
Instruction Fuzzy Hash: 1F311674901209CFDB05DFA8E984AAEBBBAFF4C310F105564E505A7364EB35AD85CF90

Function 031E288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3d4590d9053ac6ab801f825eb385376d2ecfe1895384b7d0906df3a8c1bfac
Instruction ID: b51240d965dfe1868431b98d463f8327ab1ae4935ccbf3fe6c319d3fbee33afa
Opcode Fuzzy Hash: fb3d4590d9053ac6ab801f825eb385376d2ecfe1895384b7d0906df3a8c1bfac
Instruction Fuzzy Hash: 20310E74A11218DFDB14EFB5E994AACBBB6FF8C300F14A529E501A7264DB359885CF10

Function 031E5C43 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934cef96f5174d26aa0c24ce86de7c4e4bdcb7149d03e7d4ea278f07d80771cd
Instruction ID: 2873652ca3a4660ad3a62b2cdb3c6fdf71c4b5cd7b163d45b5276e0b43d189ed
Opcode Fuzzy Hash: 934cef96f5174d26aa0c24ce86de7c4e4bdcb7149d03e7d4ea278f07d80771cd
Instruction Fuzzy Hash: 4721C130A042988FDB05CBA9C598BCDBFF6AF0E314F1940A5E001AB262C776DC44CB60

Function 031E4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb59656190882acd35c7a7ace639b8ed048ee0b0bc67494412707768c369189d
Instruction ID: 9d4d5bec768193fa31bce7aa034464751ec4ee5ecbcbd5dce119012df01dc7c6
Opcode Fuzzy Hash: cb59656190882acd35c7a7ace639b8ed048ee0b0bc67494412707768c369189d
Instruction Fuzzy Hash: 8021C3342113055FDB05EB38E990A6EF7A6EBC4310B408A38D0158F368DF70ED8D8B94

Function 031E4237 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2370063f4d3b3f234e48441d6304ee2541f05ce5b620f3135d846c67db6b2eb2
Instruction ID: d44a1b6ef287be9d5831cd884dba25ad04551cbd21d86d735fc90886ab1aba89
Opcode Fuzzy Hash: 2370063f4d3b3f234e48441d6304ee2541f05ce5b620f3135d846c67db6b2eb2
Instruction Fuzzy Hash: 0311553A3052041FD719E77AB8605BEBBA7EBC8550B488979E405CF340CF216C0A4799

Function 031E2908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332172f07824c9115ad49fe52a91f7944f8394e39d9936a219f9808447dc443a
Instruction ID: 02cb716281b74da8d35421fd48a4f45cdd400bd24190ba4e09826811d4e7f872
Opcode Fuzzy Hash: 332172f07824c9115ad49fe52a91f7944f8394e39d9936a219f9808447dc443a
Instruction Fuzzy Hash: 27211934E112188FDF14EFA4E9909ACFBB6FF8C300F009529E915A7268DB359846CF11

Function 031E6888 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e378557c20740f0ef1ed23a469442c810a5536e4da7ef086e01ec4253488fa0
Instruction ID: 0eadde6e57e6e3a95b85ed2e730690d59e6d9ddd4e28ed333ed040eb68c15b00
Opcode Fuzzy Hash: 9e378557c20740f0ef1ed23a469442c810a5536e4da7ef086e01ec4253488fa0
Instruction Fuzzy Hash: E021DF31900705CFDB10DFA4C948BAEFBF6BF59305F9480AAD405AB252CB769E45CB61

Function 031E5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac72307f5ce62f32d01f24e7f3fbbbce6ae4106c0f7eb8ba08ce7248d91eb3b
Instruction ID: 4c1637685eb370d017e596bc2edf79ff913e394fd13cce7f924ea4fbea0c4638
Opcode Fuzzy Hash: dac72307f5ce62f32d01f24e7f3fbbbce6ae4106c0f7eb8ba08ce7248d91eb3b
Instruction Fuzzy Hash: 1B214A35A002188FDF14DBA9C598ADDBBF6BF4D314F2400A5E505BB361DB76AD84CBA0

Function 031E296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850b4d1007d86b07c2955e67157c5c1a799497c587ebb3c77c695920c2d3ba9f
Instruction ID: 3e6522e3ebe4e08ede8febf6bb5874677660c80f7dc86414bc2cff8942149085
Opcode Fuzzy Hash: 850b4d1007d86b07c2955e67157c5c1a799497c587ebb3c77c695920c2d3ba9f
Instruction Fuzzy Hash: 9821B334A112189FDF14EFA4E994AACBBB6FF88300F105529E915A7364DB359D85CF10

Function 031E41A2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d71b0211247cc4801285345cd709154d37984b8e29539c94ca86c3abfcd504d
Instruction ID: 7fe748732fe868c7a975595ed03ae4fa8253e446b9d490dd9288756d20fee3f9
Opcode Fuzzy Hash: 1d71b0211247cc4801285345cd709154d37984b8e29539c94ca86c3abfcd504d
Instruction Fuzzy Hash: FA01903970D3845FD70BA776AC741AE3FBAEBCA11075844EBE405DB381CE215D0687A6

Function 031E32E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e8b20b6ef979d0dcc3aed81006f84c9909fba2656db09fefd1804433bc9c4b
Instruction ID: e4d09ccc98e6a724989c740fbc574c6fee44187f71198134043145fcbbde03d7
Opcode Fuzzy Hash: 56e8b20b6ef979d0dcc3aed81006f84c9909fba2656db09fefd1804433bc9c4b
Instruction Fuzzy Hash: D611C439A152488FDB05DBB8FC1979D7FB6EB8D310F048829E9119B280DF7A1905DB51

Function 031E5911 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beaffbd7e8734a24a4f1cba7d9b1aa0ae2e6ff0b1b881ac345a473c94d7453e4
Instruction ID: 14aaa3afbfe08d6ee6c361208329f00db6cabc770ba9080df0ed524315057be9
Opcode Fuzzy Hash: beaffbd7e8734a24a4f1cba7d9b1aa0ae2e6ff0b1b881ac345a473c94d7453e4
Instruction Fuzzy Hash: E301D2367056405FC312DB25F8A4899BFBADF8B26531D80EAE404CB352DA25CC01C7A0

Function 031E5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ec57798b0748522f2f73d52990c71bd396650a5d4fc5b5286db3da7ef89db8
Instruction ID: 8bf3694e3a0bb0b21cfa861b6bbcf2debf69a5bdcbe7197fad531ba8e5c526b8
Opcode Fuzzy Hash: 48ec57798b0748522f2f73d52990c71bd396650a5d4fc5b5286db3da7ef89db8
Instruction Fuzzy Hash: 5A01A4763112148FC714EB69F49486DB7BAEFDE66232485BAE605D7350CE31DC0197E0

Function 031E32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d5aa5a95e484edbb9a93e102cd1b5e75955747cab73d0043aedc39414a6745
Instruction ID: 166d534dab9958f34f7ac4b165b4d1bcc5169331eaa21cf98c8af719c16697e5
Opcode Fuzzy Hash: 10d5aa5a95e484edbb9a93e102cd1b5e75955747cab73d0043aedc39414a6745
Instruction Fuzzy Hash: 85010079A212488BDB04EBB4F8597AE7FBAEB8D311F008428E5029B380DF795D05DB51

Function 031E2A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1214d40c5ecaecf8f54fbbae4aa1c9da5f8c2b9accd0f0c154512a6c3a5116
Instruction ID: c6411547d88a4888137919b99c5c427a6212c9077d1cb7db8ca80c1c4a78f1d9
Opcode Fuzzy Hash: 8d1214d40c5ecaecf8f54fbbae4aa1c9da5f8c2b9accd0f0c154512a6c3a5116
Instruction Fuzzy Hash: C9F069796207048FC715EB38D51888ABBE6FF85614710C9A9D18ADF764EB71EC088BC1

Function 031E6388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d3571380be161320bee2ae55a510f4cc572374ce5557110b87e78c646c13ff
Instruction ID: 2c64d11832d87dc793f83a6330303b6dfc6c58c47c7ef41dfe6af54004e6a8b1
Opcode Fuzzy Hash: f6d3571380be161320bee2ae55a510f4cc572374ce5557110b87e78c646c13ff
Instruction Fuzzy Hash: 65F0B474E0120CBFCF50EFB8E9456ADBBB1EFA9300F6091A49405E7340EA305F01A751

Function 031E1FF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee710f3a9a54a01ba22d5204031db42025a869ddc2b9a2e280b35f0a4815098
Instruction ID: 6bf443340aed20dc923326c2ac0a01fc1b04537e278594f570f83a656d47dd97
Opcode Fuzzy Hash: 1ee710f3a9a54a01ba22d5204031db42025a869ddc2b9a2e280b35f0a4815098
Instruction Fuzzy Hash: EBE065357052444FC7056779A418895BFE5DF9A61230648EAE106C7362D9768C06D751

Function 031E6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a391b4098464ddebacaff61cfeb8c738b80334e0afe03e19da38af182eea65
Instruction ID: 4caa8448f6e8c6c7fe65a9790742a5fc41c7ff9c989e364262797fd943e30ea9
Opcode Fuzzy Hash: 92a391b4098464ddebacaff61cfeb8c738b80334e0afe03e19da38af182eea65
Instruction Fuzzy Hash: F8F08234E1120CAFCB00EFA8E5405ADBBB5EF98200F5081A89409A7340DB305E049B41

Function 031E2D93 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37de362db64123893870c9d76b3e201a4211d1ca95435006d319afbc53f5521b
Instruction ID: ca025c628d486c05147678dab45f29efda00d9bdc2b78b1c1f2fe6d45999a777
Opcode Fuzzy Hash: 37de362db64123893870c9d76b3e201a4211d1ca95435006d319afbc53f5521b
Instruction Fuzzy Hash: 6BF08C35E100088F8B84EFB8D4096E9BBF4EB4C210B1180B9D619E7301EB308D018B92

Function 031E2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcc9b6d2854302ca8e5814afb9821d62863e617bd5f0080858efdf93d4b34af
Instruction ID: 7e5421949d4ab481b5baedb51485b05968d67b4b64aba31f14a184848574d114
Opcode Fuzzy Hash: 4fcc9b6d2854302ca8e5814afb9821d62863e617bd5f0080858efdf93d4b34af
Instruction Fuzzy Hash: ADE0ED75E101188F8B84EFBCD5056DEBBF9EF49210B5140BAD619E7350EB709D018B92

Function 031E2008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9577ee937187280565c4c112eb02bedacad423453dae872d6f9ff80ff60e48a5
Instruction ID: 9f3aa0832efb6c10d1862f1bf3b3588ba39273fbacba1aaa3c2a41af18d4101d
Opcode Fuzzy Hash: 9577ee937187280565c4c112eb02bedacad423453dae872d6f9ff80ff60e48a5
Instruction Fuzzy Hash: 64D017357502189FCB146ABEE41C85A7BEAEFC962231148AAF50AC7320DE75DC0187A1

Function 031E37EF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9209db017bfcd88725d40fa3be40c45178cd3df4815659d0c0e7068f06aee9c
Instruction ID: f102a5e71d36bfbf31c80c8067ae021c88e4730ea718201154fc67d06e8986c6
Opcode Fuzzy Hash: c9209db017bfcd88725d40fa3be40c45178cd3df4815659d0c0e7068f06aee9c
Instruction Fuzzy Hash: 2ED05B7771021057EB159599B905A7A239F9BCC635B0C4566FA09C3250EE658C015350

Function 031E6469 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e970421c9d1144ff5f628649516013968629834c327b206699c7b24b3f3837
Instruction ID: 9fa1515310a39ed85340f2f510c60fd752a7f25a83cd249349e7fe499c8417c6
Opcode Fuzzy Hash: e6e970421c9d1144ff5f628649516013968629834c327b206699c7b24b3f3837
Instruction Fuzzy Hash: 4CD01775A586046FC304CB28E494812B7FAAF9D310B1184A9E129C7376DA29EC42875A

Function 031E66CB Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58513af893ea3885d282b50a512df6b82bbddff62e5003449f85c5dbb319b4b9
Instruction ID: 884b462acee5d0085c9c7dc897bb70e4a5137c101535cd4376aa0c6f87cd4547
Opcode Fuzzy Hash: 58513af893ea3885d282b50a512df6b82bbddff62e5003449f85c5dbb319b4b9
Instruction Fuzzy Hash: 84D0123672502467D604727CF8553A956DECBEC571F5942BBF502E7344CE504C412395

Function 031E6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f0e8cc1df8652e6180b7a9dcc65d1cdc9d5ad4038b5e73f98d246619c1bda2
Instruction ID: 10e1df0d2c9e689ddc2d483cc608ee96dd6d5ec2e55c76d29330397c53c07dcb
Opcode Fuzzy Hash: 81f0e8cc1df8652e6180b7a9dcc65d1cdc9d5ad4038b5e73f98d246619c1bda2
Instruction Fuzzy Hash: F2C012747402044F8604DB5CE08482573EAEB8C71071004B4E529C7339CE20EC818619

Function 031E5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3489229123.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_31e0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7888a7fd8cb7dfba8e7448086a550989cf7fbdf1fe354e1db7ea8767284277b7
Instruction ID: 31b0ce9960f169df3d1beaa934af5c6e6450d9b402cfed6914cbd9b198803557
Opcode Fuzzy Hash: 7888a7fd8cb7dfba8e7448086a550989cf7fbdf1fe354e1db7ea8767284277b7
Instruction Fuzzy Hash: 26B02B3011020D579A000515BC094217F1EEB4501D3044194BC0800100FE23C4104080

Analysis Process: GamePall.exePID: 2112, Parent PID: 3524COMMON

Executed Functions

Function 017B0EE4 Relevance: 1.0, Instructions: 1023COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3422632345.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17b0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89af05e1bbb744109057a892203ea27307c9b859478fb49bc7730537bbac1e80
Instruction ID: d3946d2babdd1dff1a4dfc76037c8426a76bac98c989b0fcac9e5e4f5b57eb94
Opcode Fuzzy Hash: 89af05e1bbb744109057a892203ea27307c9b859478fb49bc7730537bbac1e80
Instruction Fuzzy Hash: B082E574B40209DFDB05DBA8E658B6E7B77EB89300F104454EC01377A8CA3AAD95DB36

Function 017B1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3422632345.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_17b0000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd3230be28a6da6ad389f409463a3e29e5c1f198c4cc7f178168ae97911028e
Instruction ID: 1c625186e676764dbd46abf5c17929f72ebf016b2ddc791765ceb6ff2cce03dc
Opcode Fuzzy Hash: 5fd3230be28a6da6ad389f409463a3e29e5c1f198c4cc7f178168ae97911028e
Instruction Fuzzy Hash: C182C574B40209DFDB05DBA8E658B6E7B77EB88300F104454EC0137768CA3AADA5DB36

Analysis Process: GamePall.exePID: 3584, Parent PID: 3468COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	0

Executed Functions

Function 0112D1D7 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0112E090

Memory Dump Source

Source File: 00000016.00000002.3862691245.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1120000_GamePall.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a24f84785c6a9fae5d2cdbe44657e98ae06bcf94896926751768068efa9e153a
Instruction ID: 8e1781b8f9abea4a17c4407a86e1b2e1efcba67700958d2218cfa601d18cb55b
Opcode Fuzzy Hash: a24f84785c6a9fae5d2cdbe44657e98ae06bcf94896926751768068efa9e153a
Instruction Fuzzy Hash: D321FEB28003598FCB24CFA9D848BEEFFF4EB09320F10846AD158A3206D3349595CBA4

Function 0112D130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112D5FE,?,?,?,?,?), ref: 0112D6BF

Memory Dump Source

Source File: 00000016.00000002.3862691245.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1120000_GamePall.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4896d7801895d0c2c7c110c484aff3fa2cf00c3fce7675c65d16c462840aaa48
Instruction ID: cf4b07bfb0a8992b9764e4731580eca45bbcd09a9ec4c93208c6e9c5bac15e5c
Opcode Fuzzy Hash: 4896d7801895d0c2c7c110c484aff3fa2cf00c3fce7675c65d16c462840aaa48
Instruction Fuzzy Hash: 8B21E4B5D00218AFDB10CF9AD584ADEBFF8EB48320F14841AE958A7310D374A954CFA5

Function 0112D630 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112D5FE,?,?,?,?,?), ref: 0112D6BF

Memory Dump Source

Source File: 00000016.00000002.3862691245.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1120000_GamePall.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d5735b8a1f8a65c0c85cf50580329525b1749855208af0a695687ec111b51563
Instruction ID: dfc9468cf3bad6f9f76d9e6aa91fd97ba369ba9235d692cd1e1beb8701ee2e2b
Opcode Fuzzy Hash: d5735b8a1f8a65c0c85cf50580329525b1749855208af0a695687ec111b51563
Instruction Fuzzy Hash: 8421E6B5D00218AFDB10CF9AD584ADEBFF4FB48310F14841AE958A7350D374A954CFA4

Function 0112D1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0112E090

Memory Dump Source

Source File: 00000016.00000002.3862691245.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1120000_GamePall.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 39aff5be1537db7040daf948f79df9b0532d9a6c195d3254f116f8bf9f9e89d6
Instruction ID: 2945395b06d34c4ab8667bf2f61a97a3a61b0cf2f5e4eff220af330ca5bc2e5a
Opcode Fuzzy Hash: 39aff5be1537db7040daf948f79df9b0532d9a6c195d3254f116f8bf9f9e89d6
Instruction Fuzzy Hash: 231146B2900659DFDB20DF9AC845BDEBFF4EB48320F108429E558A7350D379A944CFA5

Function 0112E020 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0112E090

Memory Dump Source

Source File: 00000016.00000002.3862691245.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1120000_GamePall.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 40f73970e38801b8611b0af28c76031a79a17ba6edc6c19c2d9c9df5d29199d1
Instruction ID: 69163a2864bc311cd69888b8e4b4cd37a4da4cf17c6d7c2cd01c5cfa6617c35b
Opcode Fuzzy Hash: 40f73970e38801b8611b0af28c76031a79a17ba6edc6c19c2d9c9df5d29199d1
Instruction Fuzzy Hash: 0D1137B69002099FDB20DF9AC944BDEBFF4FB48320F108429E558A7250D379A544CFA4

Analysis Process: GamePall.exePID: 4584, Parent PID: 3468COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Executed Functions

Function 0295D130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0295D5FE,?,?,?,?,?), ref: 0295D6BF

Memory Dump Source

Source File: 0000001B.00000002.3912255957.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2950000_GamePall.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 095a880a08d4f914b792079ae3b2440d2e1764f4eb75df5eda93230f5d33c18a
Instruction ID: 9277a0c815eccc11f83e582a469f4d241178dc7ec40ad70463b63f834c950f6e
Opcode Fuzzy Hash: 095a880a08d4f914b792079ae3b2440d2e1764f4eb75df5eda93230f5d33c18a
Instruction Fuzzy Hash: F72103B5901218AFDB10CF9AD584ADEBBF8EB48320F10841AE918A3310D374A940CFA5

Function 0295D630 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0295D5FE,?,?,?,?,?), ref: 0295D6BF

Memory Dump Source

Source File: 0000001B.00000002.3912255957.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2950000_GamePall.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e16e9527a7f92f3c8a72ef8fad747667f0156711cef6125616b12d266ecfd8d7
Instruction ID: 8a4efe5e394f743046fb3e0adea212a662351a1961dc0e8eeb9e003148664155
Opcode Fuzzy Hash: e16e9527a7f92f3c8a72ef8fad747667f0156711cef6125616b12d266ecfd8d7
Instruction Fuzzy Hash: 052105B59012589FDB10CF9AD584ADEBFF8FB48320F14801AE958A3210D374A944CFA5

Function 0295E028 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(?,?,?,?), ref: 0295E090

Memory Dump Source

Source File: 0000001B.00000002.3912255957.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2950000_GamePall.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4e6e734a4d70fc1295638eb48137f7c43d339a5e8d1f23ea1e55514dde48bbef
Instruction ID: 87d3bc2d86470b9b7d855748c766d6142f7a6027d257f97b7846fd4a3d0a9059
Opcode Fuzzy Hash: 4e6e734a4d70fc1295638eb48137f7c43d339a5e8d1f23ea1e55514dde48bbef
Instruction Fuzzy Hash: 5A1116B19002599FCB20DF9AC844BDEFFF8EF48320F108429E998A7250D375A544CFA5

Analysis Process: GamePall.exePID: 3872, Parent PID: 3468COMMON

Executed Functions

Function 01624F58 Relevance: 7.9, Strings: 6, Instructions: 389COMMON

Download Yara Rule

Strings

(bq, xrefs: 016251CD
(bq, xrefs: 016255A3
(bq, xrefs: 01625056
(bq, xrefs: 01625082
(bq, xrefs: 016255CF
(bq, xrefs: 016251F9

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-3607145362
Opcode ID: 94feebba4a6779bd22304c58c4d140d1e147e0b72f4962a96e87203fc377ccf5
Instruction ID: 9907822e6cca40a6d7e095f930b5f0d8aa8b7ff9e40e08ed062bb6958868efde
Opcode Fuzzy Hash: 94feebba4a6779bd22304c58c4d140d1e147e0b72f4962a96e87203fc377ccf5
Instruction Fuzzy Hash: EBE17030A016298FDB15DF69D8546AEBBF2FF88311F14C069D806AB395DB389C42CF95

Function 01625640 Relevance: 4.0, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

(bq, xrefs: 01625655
(bq, xrefs: 0162589B
(bq, xrefs: 0162586F

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 2c8538271384033c72ba5b89f2853429fc68d633cba869c3f1d8c8c2fdc8652e
Instruction ID: 4ab98cd8aa22796dd52603fdd4d71094b5eca6960b3b70fd1b168ecbbe7030db
Opcode Fuzzy Hash: 2c8538271384033c72ba5b89f2853429fc68d633cba869c3f1d8c8c2fdc8652e
Instruction Fuzzy Hash: 7381CF30B006258FC714EF69D8549AEBBF6BF89600B258069E406EB361CF74DC06CF50

Function 01623750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 016237B2
(bq, xrefs: 01623820
(bq, xrefs: 01623786

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 9b27482e0cfb15682174c2db100366cae71207a675f91aafae3a38e7e23c0368
Instruction ID: f3c3f74e1d9de29f9d4079f648624a31047af7c32b920150d05197dca1c09eb0
Opcode Fuzzy Hash: 9b27482e0cfb15682174c2db100366cae71207a675f91aafae3a38e7e23c0368
Instruction Fuzzy Hash: 7F214932B051A44FD71AAB7D981013E3BE7FBCA260318816DD906DB7D1CE388C074796

Function 0162B0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

eIq^, xrefs: 0162B23E

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID: eIq^
API String ID: 0-3224030321
Opcode ID: b341c436be9269e1309378c0660ca8b73df0957c451cf146f4b2f33a17b9702e
Instruction ID: 31bf7ccbb9455fbfe60cac5b8ac2890a43c560075c99c22fef0f4331ae001c1b
Opcode Fuzzy Hash: b341c436be9269e1309378c0660ca8b73df0957c451cf146f4b2f33a17b9702e
Instruction Fuzzy Hash: 01527730A11211CFCB28EF28D94892D7BB2FB84711B658579D81A9B365DF39EC86CF41

Function 01622B10 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01622B35

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: dac1d39f7fee949435657d2bd6460e8a6359e8f21c8876990ea0a4fccae6ec55
Instruction ID: 53763d1c51606083356969e62cc63bfab72e56f6a3847b9e9eee767c855456d0
Opcode Fuzzy Hash: dac1d39f7fee949435657d2bd6460e8a6359e8f21c8876990ea0a4fccae6ec55
Instruction Fuzzy Hash: F5310A717102058FD709EB3AD45461E37A2EBC9A09720817CD04A8F3A8DE399C43CB8A

Function 01624237 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

(bq, xrefs: 01624295

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 321ce56c53c6bdfeedceec1899b8f3a7d265585f64b5faf0f0471093f0234c4e
Instruction ID: 3623edd363b643901345305e4b34c27529e36c0217c7d9d2c26ef4a794c01bff
Opcode Fuzzy Hash: 321ce56c53c6bdfeedceec1899b8f3a7d265585f64b5faf0f0471093f0234c4e
Instruction Fuzzy Hash: 56016632B051900FD3069BB9A85426D2B93EFD2611B0885AEC446CB755CE78984B8B81

Function 01621049 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83d1be0a0330374bbe77f2d1404e60bc123fb04245b220fe8751cd9c3fdff51
Instruction ID: a68b61c8ceffaaa9068555cbc2641c8268ee88f8e2b1febd4fafb29bbc684fcf
Opcode Fuzzy Hash: a83d1be0a0330374bbe77f2d1404e60bc123fb04245b220fe8751cd9c3fdff51
Instruction Fuzzy Hash: 93829074640209DFDB06DFA4D654B6E7B77EB88300F104478E80137BA8CA7EAD95DB26

Function 01621058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377421f43632a7aff784335b57b6adf7be5b15b20b858676f3f93e0c1f754870
Instruction ID: 00a5e1b7a8fc665fa036acf0ae285b1b6d624be678500e8630a7d7fa44f9a6d5
Opcode Fuzzy Hash: 377421f43632a7aff784335b57b6adf7be5b15b20b858676f3f93e0c1f754870
Instruction Fuzzy Hash: C6829074640209DFDB06DFA4D654B6E7B77EB88300F104478E80137BA8CA7EAD95DB26

Function 01625240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433fbfa960c13bad927ca8a26f81a5d6891968a67630c8470fca389a137eb9be
Instruction ID: e609ab9a0b948146940f1e9f6afd4006b602048be6e55f2835d742d9421ff87b
Opcode Fuzzy Hash: 433fbfa960c13bad927ca8a26f81a5d6891968a67630c8470fca389a137eb9be
Instruction Fuzzy Hash: AB512C70A016289FDB14DFA8D894AEDBBF2BF88311F148069E806A7354DB349C41CF90

Function 01622850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7089503ac5409990fd5ca1c6cf53abc9f42627854be1ceabf86e4851918708
Instruction ID: 682ba8fa20271d2de5713e1bb8cf57d9884554cf7423dac8d75b53584a7d00fb
Opcode Fuzzy Hash: cd7089503ac5409990fd5ca1c6cf53abc9f42627854be1ceabf86e4851918708
Instruction Fuzzy Hash: E941F774E10218CFDB14EFA9D99499DBBB2FF88340F104539D901A7768EB399846CF51

Function 01625308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a008d02229eaaa782ad25a9955ee40c13a11c43562c100975e804be5b62daf
Instruction ID: a75a67126301961b4e8bc357e41282ca6a4c0532753f8e80b1e94b485ef78a69
Opcode Fuzzy Hash: f2a008d02229eaaa782ad25a9955ee40c13a11c43562c100975e804be5b62daf
Instruction Fuzzy Hash: 9241FC74A015249FCB04EFA4E894AADBBB3FF88711F148079E806A7364DB389C42CF50

Function 01622842 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2cb15e1958c8128044ad800cea2e562ee45bcf195903d0b86839c5d8e1e6719
Instruction ID: fbf026905aab16252c6f159f502c72d14053e6c43bebafc07bf07e8fa425125e
Opcode Fuzzy Hash: d2cb15e1958c8128044ad800cea2e562ee45bcf195903d0b86839c5d8e1e6719
Instruction Fuzzy Hash: A6311770E11218CFDB14DFB9D9946EDBBB2FF88340F144529D901A7268EB399846CF11

Function 01626388 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fb80f1536540804274f2ec58a1ee3436fba0d1c853716bf1947fb7acefb86d
Instruction ID: c7341b174c8da7d873a375eb16ef6b3c84de931ac5bd02b631974bf6afa64ed2
Opcode Fuzzy Hash: 33fb80f1536540804274f2ec58a1ee3436fba0d1c853716bf1947fb7acefb86d
Instruction Fuzzy Hash: 102129308676199FCF09DBB8CC802BDFBA1FB53304B41A87DCA08D715ED9208A95DB52

Function 01622C48 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7e031bb50a5a0726b1ad3b4d635d61b22f0af399c51f13b45a1054415bd357
Instruction ID: dfc6f2f281b2199cc8931576f9e97963bce9ddfb79cff81479fdaec3585e005e
Opcode Fuzzy Hash: 9c7e031bb50a5a0726b1ad3b4d635d61b22f0af399c51f13b45a1054415bd357
Instruction Fuzzy Hash: B741047490020A8FCB45DFA8D994AAEBBB2FB88314F104539D505B7764EB38AD85CF91

Function 0162B0A0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11299164a3a5f36e8461f29f47ce4e66e29e08ab5f762f440adb92c6da4635bc
Instruction ID: 2b5ca6c265c1d1f7dacd6a9991183e50769b7a4908ecff126e69aec5127ca49c
Opcode Fuzzy Hash: 11299164a3a5f36e8461f29f47ce4e66e29e08ab5f762f440adb92c6da4635bc
Instruction Fuzzy Hash: 33319131A102158FCB14DB78D8846ADBBF6FBC4310F50853DD416AB3A5DF75AC098B91

Function 01624B50 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267f62766ad91eba2ad7c757bad3eb400ca84167bf8c01bb0216bafd9440f397
Instruction ID: e5270f2ad5d2cabf457ef5ff211b8953f0b488686cf486b2aaae41b75a361929
Opcode Fuzzy Hash: 267f62766ad91eba2ad7c757bad3eb400ca84167bf8c01bb0216bafd9440f397
Instruction Fuzzy Hash: 5621B1316042465FC705EF78E894A5DBBA6FBC1200B048A3DC4069F369DF74ED4E8B96

Function 01622C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cb248f33ea576bf5753ad9f6d4f3a289f0947204810eea00b98786070da747
Instruction ID: 0f9a1dab36fc6dd99b6378a143a2027c600068b4a9ef8e3815f56d712df2ffa1
Opcode Fuzzy Hash: 66cb248f33ea576bf5753ad9f6d4f3a289f0947204810eea00b98786070da747
Instruction Fuzzy Hash: DB31F67490020ACFCB45DFA8D994AAEBBB2FB88314F104539D505B7764EB38AD85CF91

Function 01624B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73480fa57df1ee923fecf3d9b26741bd8aee3dc08f12729c859796d3abe5d96
Instruction ID: 46064e0df78f87667fd8f26faaa703e90a30f155f9f92546ec9a4a18a07310f1
Opcode Fuzzy Hash: a73480fa57df1ee923fecf3d9b26741bd8aee3dc08f12729c859796d3abe5d96
Instruction Fuzzy Hash: 632181312002065FD714EF79E984A6EB7E6FBC0210B048A38D4199F768DF74ED8E8B95

Function 01626888 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b829de9c2d58817dded27b81a3269806aa045d0d71854128fc7de6a03b70b6
Instruction ID: 3b564cbcd641eff01541f030d59cf8c5a2c40c570c837a65c74433f0245163d2
Opcode Fuzzy Hash: 83b829de9c2d58817dded27b81a3269806aa045d0d71854128fc7de6a03b70b6
Instruction Fuzzy Hash: F2218C71E00616CFEB14DBA4CD48BEEBBF1EF45304F1080AAC806AB251CBB59A45CF61

Function 016241A2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbd0a334833beeed3ba96d0805ca1729fee4f3a049b3d8aecdca35bcf746d02
Instruction ID: 17f3d3a386adbfacd1491d9a2ed4f9e4f077db53ec253377f94719c627446182
Opcode Fuzzy Hash: 1cbd0a334833beeed3ba96d0805ca1729fee4f3a049b3d8aecdca35bcf746d02
Instruction Fuzzy Hash: C80128317092895FC306ABB5E86016E3FFAFFC6110315449ED405EB346CE214C0AC766

Function 016232E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484ce750154036c1d306804174ad06ac1e950909edcde86f3be599c11834a893
Instruction ID: ae1b3610d732fa2f69abdf317e24188d5d0d4f45d7671134a6ca4a1cb068902f
Opcode Fuzzy Hash: 484ce750154036c1d306804174ad06ac1e950909edcde86f3be599c11834a893
Instruction Fuzzy Hash: FF111B75A211448FDB08EFB4E858BAD7BB2EB98301F448828D506A7744DF3D5805CF51

Function 01622A80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9ce55e83d5db330e5aa526bb7d8676c39d96d1fad3dd13d49a2e3721466043
Instruction ID: cb998444277f77fc77cd1140f0b17849dce7be9135f68e0f28ce652392e31235
Opcode Fuzzy Hash: bd9ce55e83d5db330e5aa526bb7d8676c39d96d1fad3dd13d49a2e3721466043
Instruction Fuzzy Hash: EE0156B56107058FC711AF78D41888ABBE5FB85A1471089AED14ADF328EF70E8088BC1

Function 016232F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147e1531f55e9218d1f05995cf02c6bc3a888852d6b6f21d9314b998c6ee3f55
Instruction ID: f5678fc100d3635aee4b8d0801682e6ec32daf1f2d0baba2c748af9f8524ab51
Opcode Fuzzy Hash: 147e1531f55e9218d1f05995cf02c6bc3a888852d6b6f21d9314b998c6ee3f55
Instruction Fuzzy Hash: 7401CC35A212448BDB08EFB4E968B9E7BB6AB8C301F408428D506A7785DF7D5805CF55

Function 016241E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734c0626266f1dee5457cb9821fdd8f2b6cf526b9bdb6cc5fbf088be43a4757c
Instruction ID: 3f86135e21802e1ab900a8cf311b1e9c12770cd3424ec2ecbf26539b8c2b281d
Opcode Fuzzy Hash: 734c0626266f1dee5457cb9821fdd8f2b6cf526b9bdb6cc5fbf088be43a4757c
Instruction Fuzzy Hash: B5E0E53270410A6F9748EBA6B85097F76DAFBC9560754482DE009EB344DF216C0647AA

Function 01626398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa33e2ef71f785fd564daffb50a39d474cff5c00d4a3d48b87f032f492677902
Instruction ID: 4b4dad0c337b41cf4257537749bc496afe4e85d0760dd4793a190355e2cd1584
Opcode Fuzzy Hash: aa33e2ef71f785fd564daffb50a39d474cff5c00d4a3d48b87f032f492677902
Instruction Fuzzy Hash: 0BF01C34A0120DEFCB40FFA8E94465DBBF5FB94200F1081BCA808A7354EA305E459B52

Function 01622D92 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b1e914983097093f38d8976b378216fe9edddf11408e817a2fb8444d712e75
Instruction ID: 8001ef90312bfafd7c58852752367a2e981efb7ce1562a6570bd5926b49d1c7b
Opcode Fuzzy Hash: 60b1e914983097093f38d8976b378216fe9edddf11408e817a2fb8444d712e75
Instruction Fuzzy Hash: F7F0FE75E210198FCB44EFACD40559EBBF4EF49310B1185A9D519D7311EB709A118B91

Function 01622DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c923b99681b42721199c963b62ccda5235369f3e55564eb5550aafd7ad437f3c
Instruction ID: 06cba95eb12ae1fd58c10f371dffebc7020c9cae759ab60b94690c0fefc5308d
Opcode Fuzzy Hash: c923b99681b42721199c963b62ccda5235369f3e55564eb5550aafd7ad437f3c
Instruction Fuzzy Hash: 53E0ED71E101198F8B84EFBCD5056DEBBF5EF48211B1180BAD519E7310EB709D018B91

Function 0162374E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74718632e3c94294d24b44b873a11979b5af1c590a10313d9ad3c8bf71c5272d
Instruction ID: a0305151ab04702fe25963643d08439746c8434bbfdea20dabdad92550f0dd71
Opcode Fuzzy Hash: 74718632e3c94294d24b44b873a11979b5af1c590a10313d9ad3c8bf71c5272d
Instruction Fuzzy Hash: FFE0C236B00624178B29952EA80447B7AEBEBC86713594035EE09CB348EF688C0B67D6

Function 016266C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea07553f6d9646b303d272f4bbc8e20863cbaded346e61ae76f39ff72e642d8a
Instruction ID: b9665276706c095e5b4d3c4b58b4478ecdf0954c18e2d5e7c8c62523de71ecb3
Opcode Fuzzy Hash: ea07553f6d9646b303d272f4bbc8e20863cbaded346e61ae76f39ff72e642d8a
Instruction Fuzzy Hash: 2BD02E3132A2A04FCB01A75CF8840483BE6FECA22230901EBF800DB30ACA249C02D392

Function 01626469 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575986b3cbb48c1eb1973fea4d5a5129c0d520d486b1793ababd82b4f4c301ff
Instruction ID: a9c17a8f51ced2ed21c6856118a30d1bb8fa8b8cc18439837d6a6e7acfe5f10b
Opcode Fuzzy Hash: 575986b3cbb48c1eb1973fea4d5a5129c0d520d486b1793ababd82b4f4c301ff
Instruction Fuzzy Hash: ABE017746682048FC705CBA8D49591577EAEF8D31070109B5E508CB37ADA24EC82CB2A

Function 01626478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3788117223.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1620000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2643d1ac0047713faaf8cd97f61cf086088d1c8f0602aaa2b63a12308a83892a
Instruction ID: 7c9f164f15e365af626822587f5fb0850b903960951b655189ebc2b3d56347ab
Opcode Fuzzy Hash: 2643d1ac0047713faaf8cd97f61cf086088d1c8f0602aaa2b63a12308a83892a
Instruction Fuzzy Hash: 0FC012343802088F8208DBACE084829B3EAEB8C71031040B8E619CB339CE20EC828A19

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NhWAWEhCi7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

C:\Users\user\AppData\Local\Temp\9FC5.exe

C:\Users\user\AppData\Local\Temp\D57C.exe

C:\Users\user\AppData\Local\Temp\nsk862A.tmp\liteFirewall.dll

C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\INetC.dll

C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\blowfish.dll

C:\Users\user\AppData\Local\Temp\nslCBA9.tmp\nsProcess.dll

C:\Users\user\AppData\Local\Temp\nsw1781.tmp

C:\Users\user\AppData\Local\Temp\setup.exe

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

Windows Analysis Report
NhWAWEhCi7.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre