Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OBbrO5rwew.exe

Overview

General Information

Sample name:OBbrO5rwew.exe
renamed because original name is a hash value
Original sample name:bdcf37dcbb1947e5a3f6145d47fc67e8.exe
Analysis ID:1466397
MD5:bdcf37dcbb1947e5a3f6145d47fc67e8
SHA1:cee0cf2eaf723c8980ce2f85b882f78be880da08
SHA256:37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a
Tags:32exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OBbrO5rwew.exe (PID: 4712 cmdline: "C:\Users\user\Desktop\OBbrO5rwew.exe" MD5: BDCF37DCBB1947E5A3F6145D47FC67E8)
    • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • 2391.exe (PID: 4164 cmdline: C:\Users\user\AppData\Local\Temp\2391.exe MD5: BD2EAC64CBDED877608468D86786594A)
      • 4CC4.exe (PID: 6448 cmdline: C:\Users\user\AppData\Local\Temp\4CC4.exe MD5: 60172CA946DE57C3529E9F05CC502870)
        • setup.exe (PID: 5304 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)
      • 77CD.exe (PID: 6208 cmdline: C:\Users\user\AppData\Local\Temp\77CD.exe MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)
      • GamePall.exe (PID: 2216 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
  • deetubv (PID: 5304 cmdline: C:\Users\user\AppData\Roaming\deetubv MD5: BDCF37DCBB1947E5A3F6145D47FC67E8)
    • GamePall.exe (PID: 2584 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 3472 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3400 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 2128 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3976 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 6000 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4012 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 576 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329031925 --mojo-platform-channel-handle=4048 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 760 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329056479 --mojo-platform-channel-handle=4108 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 2464 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 4164 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
          • GamePall.exe (PID: 5528 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
          • GamePall.exe (PID: 5416 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 5756 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
          • GamePall.exe (PID: 2664 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 6820 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 3196 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 2508 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 6560 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 2924 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 3308 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 1776 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 5992 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 3860 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 6168 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 5708 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 4824 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 5660 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • GamePall.exe (PID: 616 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
  • deetubv (PID: 5360 cmdline: C:\Users\user\AppData\Roaming\deetubv MD5: BDCF37DCBB1947E5A3F6145D47FC67E8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2113001680.0000000002971000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x3c5a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.77CD.exe.13916e0.2.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
        9.2.77CD.exe.38d0000.3.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          9.2.77CD.exe.38d0000.3.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            9.2.77CD.exe.1389fc0.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              9.2.77CD.exe.1389fc0.1.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 5304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\deetubv, CommandLine: C:\Users\user\AppData\Roaming\deetubv, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\deetubv, NewProcessName: C:\Users\user\AppData\Roaming\deetubv, OriginalFileName: C:\Users\user\AppData\Roaming\deetubv, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\deetubv, ProcessId: 5304, ProcessName: deetubv

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: OBbrO5rwew.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeAvira: detection malicious, Label: HEUR/AGEN.1352426
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                Source: C:\Users\user\AppData\Local\Temp\2391.exeAvira: detection malicious, Label: HEUR/AGEN.1313486
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
                Found malware configuration
                Source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
                Source: 9.2.77CD.exe.38d0000.3.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
                Source: 5.2.2391.exe.d80000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\2391.exeReversingLabs: Detection: 50%
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeReversingLabs: Detection: 20%
                Source: C:\Users\user\AppData\Roaming\deetubvReversingLabs: Detection: 31%
                Multi AV Scanner detection for submitted file
                Source: OBbrO5rwew.exeReversingLabs: Detection: 31%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\2391.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: OBbrO5rwew.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: pedestriankodwu.xyz
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: towerxxuytwi.xyz
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: ellaboratepwsz.xyz
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: penetratedpoopp.xyz
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: swellfrrgwwos.xyz
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: contintnetksows.shop
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: foodypannyjsud.shop
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: potterryisiw.shop
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: foodypannyjsud.shop
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: lid=%s&j=%s&ver=4.0
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: TeslaBrowser/5.5
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: - Screen Resoluton:
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: - Physical Installed Memory:
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: Workgroup: -
                Source: 5.2.2391.exe.d80000.0.unpackString decryptor: bOKHNM--
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D1C94 CryptUnprotectData,CryptProtectData,9_2_038D1C94
                Source: OBbrO5rwew.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.dr
                Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000B.00000002.3946768313.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.dr
                Source: Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nstA4F2.tmp.11.dr
                Source: Binary string: ntkrnlmp.pdbx source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 77CD.exe, 00000009.00000002.3287815346.0000000001338000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3704456419.00000000004A2000.00000002.00000001.01000000.0000000F.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 0000000F.00000002.3847852307.00000000062B9000.00000002.00000001.01000000.00000012.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmp
                Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3947089648.0000000000722000.00000004.00000020.00020000.00000000.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: 77CD.exe, 00000009.00000002.3291297735.000000000A619000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\* source: 77CD.exe, 00000009.00000002.3287815346.0000000001338000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nstA4F2.tmp.11.dr
                Source: Binary string: WINLOA~1.PDBwinload_prod.pdb$ source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nstA4F2.tmp.11.dr
                Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 77CD.exe, 00000009.00000002.3291297735.000000000A619000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000F.00000002.3847852307.00000000062B9000.00000002.00000001.01000000.00000012.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 77CD.exe, 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp, 77CD.exe, 00000009.00000000.2598908096.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3947089648.0000000000722000.00000004.00000020.00020000.00000000.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: ntkrnlmp.pdb& source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 77CD.exe, 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp, 77CD.exe, 00000009.00000000.2598908096.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405B4A
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004066FF FindFirstFileA,FindClose,8_2_004066FF
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004027AA FindFirstFileA,8_2_004027AA
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C424BD FindFirstFileExW,9_2_00C424BD
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_038D1000
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_038D4E27
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D1D3C FindFirstFileW,FindNextFileW,9_2_038D1D3C
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D40BA FindFirstFileW,FindNextFileW,9_2_038D40BA
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D3EFC FindFirstFileW,FindNextFileW,9_2_038D3EFC
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 186.233.231.45 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 188.55.174.170 80Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: pedestriankodwu.xyz
                Source: Malware configuration extractorURLs: towerxxuytwi.xyz
                Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
                Source: Malware configuration extractorURLs: penetratedpoopp.xyz
                Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
                Source: Malware configuration extractorURLs: contintnetksows.shop
                Source: Malware configuration extractorURLs: foodypannyjsud.shop
                Source: Malware configuration extractorURLs: potterryisiw.shop
                Source: Malware configuration extractorURLs: foodypannyjsud.shop
                Source: Malware configuration extractorURLs: http://evilos.cc/tmp/index.php
                Source: Malware configuration extractorURLs: http://gebeus.ru/tmp/index.php
                Source: Malware configuration extractorURLs: http://office-techs.biz/tmp/index.php
                Source: Malware configuration extractorURLs: http://cx5519.com/tmp/index.php
                Source: Malware configuration extractorURLs: 146.70.169.164:2227
                Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00BD5B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,9_2_00BD5B80
                Source: GamePall.exe, 0000001B.00000002.4096840778.0000000002531000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.4235784260.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001E.00000002.4212461068.0000000002958000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
                Source: GamePall.exe, 00000019.00000002.4179285444.0000000002458000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001F.00000002.4139361869.0000000002511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity=4
                Source: GamePall.exe, 00000020.00000002.4208742605.0000000002828000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity=4P
                Source: GamePall.exe, 00000022.00000002.4150017697.00000000026B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activitynep
                Source: GamePall.exe, 00000012.00000002.3806958590.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activityp
                Source: GamePall.exe, 0000001B.00000002.4096840778.0000000002531000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.4235784260.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001E.00000002.4212461068.0000000002958000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001F.00000002.4139361869.0000000002511000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000020.00000002.4208742605.0000000002828000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000022.00000002.4150017697.00000000026B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
                Source: GamePall.exe, 00000014.00000002.3853013528.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000019.00000002.4179285444.0000000002458000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001B.00000002.4096840778.0000000002531000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.4235784260.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001E.00000002.4212461068.0000000002958000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001F.00000002.4139361869.0000000002511000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000020.00000002.4208742605.0000000002828000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000022.00000002.4150017697.00000000026B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2101745849.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/275944
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/378067
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/437891.
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/456214
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/497301
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/510270
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/514696
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/642141
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/672186).
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/717501
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/775961
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/819404
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/839189
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/932466
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://crbug.com/957772
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: explorer.exe, 00000002.00000000.2098826618.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2101745849.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2101745849.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://james.newtonking.com/projects/json
                Source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                Source: 4CC4.exe, 4CC4.exe, 00000008.00000000.2529865800.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 4CC4.exe, 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000003.3704659140.000000000073C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3946768313.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3405429746.000000000040A000.00000008.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                Source: 4CC4.exe, 00000008.00000000.2529865800.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 4CC4.exe, 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000003.3704659140.000000000073C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3946768313.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3405429746.000000000040A000.00000008.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2101745849.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0K
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0N
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: explorer.exe, 00000002.00000000.2101745849.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: explorer.exe, 00000002.00000000.2100918561.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2101345345.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2101320512.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/).
                Source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/
                Source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: nstA4F2.tmp.11.drString found in binary or memory: http://www.codeplex.com/DotNetZip
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: 2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: 4CC4.exe, 00000008.00000002.3970320501.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000003.3958611094.00000000005F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/
                Source: 4CC4.exe, 00000008.00000003.2533160280.0000000003080000.00000004.00001000.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat
                Source: 4CC4.exe, 00000008.00000003.3958170968.00000000005E8000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000002.3970278482.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000003.3958684289.00000000005E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datE
                Source: 4CC4.exe, 00000008.00000002.3970031499.0000000000588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datG
                Source: 4CC4.exe, 00000008.00000003.3958170968.00000000005E8000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000002.3970278482.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000003.3958684289.00000000005E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datlK
                Source: 4CC4.exe, 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
                Source: 4CC4.exe, 00000008.00000002.3970320501.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000003.3958611094.00000000005F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/T
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://accounts.google.com/
                Source: explorer.exe, 00000002.00000000.2103529255.000000000C54A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                Source: explorer.exe, 00000002.00000000.2100290504.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 00000002.00000000.2100290504.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000002.00000000.2099568578.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
                Source: 77CD.exe, 00000009.00000002.3287815346.000000000130D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                Source: 77CD.exe, 00000009.00000002.3287815346.000000000130D000.00000004.00000020.00020000.00000000.sdmp, 77CD.exe, 00000009.00000002.3287815346.00000000012C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
                Source: 2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: 2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://chrome.google.com/webstore
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://chrome.google.com/webstore/
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://codereview.chromium.org/25305002).
                Source: 2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: 2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/
                Source: 2391.exe, 00000005.00000003.2520017106.0000000001C4A000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2521024009.0000000001C4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/(((
                Source: 2391.exe, 00000005.00000003.2463684320.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop//
                Source: 2391.exe, 00000005.00000003.2463684320.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/4
                Source: 2391.exe, 00000005.00000003.2538185151.0000000001C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/6C
                Source: 2391.exe, 00000005.00000002.2563727859.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2560718179.0000000001C37000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2561273713.0000000001C3D000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2538185151.0000000001C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/9s
                Source: 2391.exe, 00000005.00000003.2487461963.0000000001C4C000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2487900415.0000000001C4C000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2485834775.0000000001C48000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2486360083.0000000001C4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/H
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520134793.0000000001C32000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000002.2562969879.0000000001C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api
                Source: 2391.exe, 00000005.00000002.2562969879.0000000001B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api(
                Source: 2391.exe, 00000005.00000003.2453152629.0000000001BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api8
                Source: 2391.exe, 00000005.00000003.2520926542.0000000001C32000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520134793.0000000001C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apiK
                Source: 2391.exe, 00000005.00000003.2520074910.0000000001C3B000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520017106.0000000001C36000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520270889.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2521024009.0000000001C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ng
                Source: 2391.exe, 00000005.00000003.2538185151.0000000001C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi6;
                Source: 2391.exe, 00000005.00000002.2563727859.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2560718179.0000000001C37000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2561273713.0000000001C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/piD;
                Source: 2391.exe, 00000005.00000003.2463684320.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/piS
                Source: 2391.exe, 00000005.00000003.2520074910.0000000001C3B000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520017106.0000000001C36000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520270889.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2521024009.0000000001C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/s
                Source: 2391.exe, 00000005.00000003.2560718179.0000000001C37000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000002.2563575898.0000000001C3B000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000002.2562969879.0000000001BCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop:443/api
                Source: 2391.exe, 00000005.00000002.2562969879.0000000001BCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop:443/apiZFPPWAPT.pdfPK
                Source: 2391.exe, 00000005.00000003.2520134793.0000000001BCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop:443/apicrosoft
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
                Source: 2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.com
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comGoogle
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comT
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/
                Source: explorer.exe, 00000002.00000000.2103529255.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://support.google.com/chrome/answer/6258784
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000012.00000002.3803287436.0000000002B46000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
                Source: explorer.exe, 00000002.00000000.2101745849.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
                Source: explorer.exe, 00000002.00000000.2101745849.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
                Source: 2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: 2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://www.google.com/
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
                Source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://www.google.com/cloudprint
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
                Source: 2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: 2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: https://www.newtonsoft.com/json
                Source: nstA4F2.tmp.11.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2411803971.0000000002801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2411734866.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_004055E7
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D4BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,9_2_038D4BA2
                Source: GamePall.exeProcess created: 52

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.2113001680.0000000002971000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000004.00000002.2411803971.0000000002801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000004.00000002.2411670729.00000000027C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000004.00000002.2411734866.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000004.00000002.2411929335.0000000002850000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.2112462059.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401538
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,0_2_00402FE9
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DE
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401496
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401543
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401565
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401579
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040157C
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401538
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,4_2_00402FE9
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014DE
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401496
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401543
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401565
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401579
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_0040157C
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_00406A888_2_00406A88
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C314909_2_00C31490
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C3D5159_2_00C3D515
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C447759_2_00C44775
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C3BE099_2_00C3BE09
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: String function: 00C30310 appears 51 times
                Source: OBbrO5rwew.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.2113001680.0000000002971000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000004.00000002.2411803971.0000000002801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000004.00000002.2411670729.00000000027C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000004.00000002.2411734866.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000004.00000002.2411929335.0000000002850000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.2112462059.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: OBbrO5rwew.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: deetubv.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: GamePall.exe.11.dr, Program.csBase64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@130/115@0/9
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,8_2_00404897
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_02974C88 CreateToolhelp32Snapshot,Module32First,0_2_02974C88
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_00402173 CoCreateInstance,MultiByteToWideChar,8_2_00402173
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\deetubvJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeMutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2391.tmpJump to behavior
                Source: OBbrO5rwew.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\explorer.exeFile read: C:\Program Files\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: 2391.exe, 00000005.00000003.2475547515.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.0000000004297000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: OBbrO5rwew.exeReversingLabs: Detection: 31%
                Source: unknownProcess created: C:\Users\user\Desktop\OBbrO5rwew.exe "C:\Users\user\Desktop\OBbrO5rwew.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\deetubv C:\Users\user\AppData\Roaming\deetubv
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2391.exe C:\Users\user\AppData\Local\Temp\2391.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\4CC4.exe C:\Users\user\AppData\Local\Temp\4CC4.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\77CD.exe C:\Users\user\AppData\Local\Temp\77CD.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\deetubv C:\Users\user\AppData\Roaming\deetubv
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
                Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3400 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3976 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4012 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329031925 --mojo-platform-channel-handle=4048 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329056479 --mojo-platform-channel-handle=4108 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Local\Temp\2391.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Local\Temp\2391.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2391.exe C:\Users\user\AppData\Local\Temp\2391.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\4CC4.exe C:\Users\user\AppData\Local\Temp\4CC4.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\77CD.exe C:\Users\user\AppData\Local\Temp\77CD.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" Jump to behavior
                Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3400 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3976 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4012 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329031925 --mojo-platform-channel-handle=4048 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329056479 --mojo-platform-channel-handle=4108 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dll
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mmdevapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: audioses.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: powrprof.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: umpdc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.ui.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windowmanagementapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: textinputframework.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: inputhost.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wkscli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wtsapi32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winsta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscms.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coloradapterclient.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: omadmapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dmcmnutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iri.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dsreg.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.dr
                Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000B.00000002.3946768313.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.dr
                Source: Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nstA4F2.tmp.11.dr
                Source: Binary string: ntkrnlmp.pdbx source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 77CD.exe, 00000009.00000002.3287815346.0000000001338000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3704456419.00000000004A2000.00000002.00000001.01000000.0000000F.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 0000000F.00000002.3847852307.00000000062B9000.00000002.00000001.01000000.00000012.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmp
                Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3947089648.0000000000722000.00000004.00000020.00020000.00000000.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: 77CD.exe, 00000009.00000002.3291297735.000000000A619000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\* source: 77CD.exe, 00000009.00000002.3287815346.0000000001338000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nstA4F2.tmp.11.dr
                Source: Binary string: WINLOA~1.PDBwinload_prod.pdb$ source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nstA4F2.tmp.11.dr
                Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 77CD.exe, 00000009.00000002.3291297735.000000000A619000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000F.00000002.3847852307.00000000062B9000.00000002.00000001.01000000.00000012.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 77CD.exe, 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp, 77CD.exe, 00000009.00000000.2598908096.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3947089648.0000000000722000.00000004.00000020.00020000.00000000.sdmp, nstA4F2.tmp.11.dr
                Source: Binary string: ntkrnlmp.pdb& source: 77CD.exe, 00000009.00000002.3325780915.000000000AC9C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 77CD.exe, 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp, 77CD.exe, 00000009.00000000.2598908096.0000000000C49000.00000002.00000001.01000000.0000000B.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeUnpacked PE file: 0.2.OBbrO5rwew.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\deetubvUnpacked PE file: 4.2.deetubv.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Source: Newtonsoft.Json.dll.11.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .vmpLp
                Source: 2391.exe.2.drStatic PE information: section name: .vmpLp
                Source: 2391.exe.2.drStatic PE information: section name: .vmpLp
                Source: 2391.exe.2.drStatic PE information: section name: .vmpLp
                Source: libEGL.dll.11.drStatic PE information: section name: .00cfg
                Source: libEGL.dll.11.drStatic PE information: section name: .voltbl
                Source: libGLESv2.dll.11.drStatic PE information: section name: .00cfg
                Source: libGLESv2.dll.11.drStatic PE information: section name: .voltbl
                Source: chrome_elf.dll.11.drStatic PE information: section name: .00cfg
                Source: chrome_elf.dll.11.drStatic PE information: section name: .crthunk
                Source: chrome_elf.dll.11.drStatic PE information: section name: CPADinfo
                Source: chrome_elf.dll.11.drStatic PE information: section name: malloc_h
                Source: libEGL.dll0.11.drStatic PE information: section name: .00cfg
                Source: libGLESv2.dll0.11.drStatic PE information: section name: .00cfg
                Source: libcef.dll.11.drStatic PE information: section name: .00cfg
                Source: libcef.dll.11.drStatic PE information: section name: .rodata
                Source: libcef.dll.11.drStatic PE information: section name: CPADinfo
                Source: libcef.dll.11.drStatic PE information: section name: malloc_h
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_02781D38 push ecx; ret 0_2_02781D39
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_02781CF8 push 00000076h; iretd 0_2_02781CFA
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_02782EFD push B92A2F4Ch; retf 0_2_02782F02
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_0297A6DA push edx; ret 0_2_0297A6DB
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_0297C758 push FFFFFFFBh; iretd 0_2_0297C76E
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00401CD1 push ecx; ret 4_2_00401CD2
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00401C91 push 00000076h; iretd 4_2_00401C93
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_00402E96 push B92A2F4Ch; retf 4_2_00402E9B
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_027C1D38 push ecx; ret 4_2_027C1D39
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_027C2EFD push B92A2F4Ch; retf 4_2_027C2F02
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_027C1CF8 push 00000076h; iretd 4_2_027C1CFA
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_0285AD70 push FFFFFFFBh; iretd 4_2_0285AD86
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_02858CF2 push edx; ret 4_2_02858CF3
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C3004B push ecx; ret 9_2_00C3005E
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C32D15 push ds; ret 9_2_00C32D1C
                Source: OBbrO5rwew.exeStatic PE information: section name: .text entropy: 7.51076247482441
                Source: deetubv.2.drStatic PE information: section name: .text entropy: 7.51076247482441
                Source: Ionic.Zip.dll.11.drStatic PE information: section name: .text entropy: 6.821349263259562
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\4CC4.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\deetubvJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsc1466.tmp\liteFirewall.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2391.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\77CD.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeFile created: C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\INetC.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeFile created: C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\blowfish.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeFile created: C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\nsProcess.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\deetubvJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

                Hooking and other Techniques for Hiding and Protection

                barindex
                Deletes itself after installation
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\obbro5rwew.exeJump to behavior
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\deetubv:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Found evasive API chain (may stop execution after checking mutex)
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_9-146439
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\AppData\Local\Temp\2391.exeSystem information queried: FirmwareTableInformationJump to behavior
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Roaming\deetubvAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\AppData\Roaming\deetubvAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Local\Temp\2391.exeAPI/Special instruction interceptor: Address: 12D8181
                Source: C:\Users\user\AppData\Local\Temp\2391.exeAPI/Special instruction interceptor: Address: 12EF069
                Source: C:\Users\user\AppData\Local\Temp\2391.exeAPI/Special instruction interceptor: Address: 1292432
                Source: C:\Users\user\AppData\Local\Temp\2391.exeAPI/Special instruction interceptor: Address: 1315B80
                Source: C:\Users\user\AppData\Local\Temp\2391.exeAPI/Special instruction interceptor: Address: 1224080
                Source: C:\Users\user\AppData\Local\Temp\2391.exeAPI/Special instruction interceptor: Address: 15C20B2
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: deetubv, 00000004.00000002.2411825677.000000000283E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
                Source: OBbrO5rwew.exe, 00000000.00000002.2112770893.000000000295E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK_
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: E50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2850000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4850000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2DE0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4DE0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2EA0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2EF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5030000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: FB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4AB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: E60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2980000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1260000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CA0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AD0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A70000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 28C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1180000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D80000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 15B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3200000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F40000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2720000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: AB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2430000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4430000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1270000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FD0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 8A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2530000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2350000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3100000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2230000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 23A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 43A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2930000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4930000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 970000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2510000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2450000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: CC0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2800000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2700000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2440000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 26B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2440000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1380000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4E90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: BD0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2620000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 24B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: F10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 28D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: F90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1180000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 435Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1055Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1026Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3676Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 869Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\INetC.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc1466.tmp\liteFirewall.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\blowfish.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\nsProcess.dllJump to dropped file
                Source: C:\Windows\explorer.exe TID: 5784Thread sleep time: -105500s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 4816Thread sleep time: -102600s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 5784Thread sleep time: -367600s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exe TID: 2680Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exe TID: 4296Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 7124Thread sleep time: -600000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405B4A
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004066FF FindFirstFileA,FindClose,8_2_004066FF
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004027AA FindFirstFileA,8_2_004027AA
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C424BD FindFirstFileExW,9_2_00C424BD
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_038D1000
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_038D4E27
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D1D3C FindFirstFileW,FindNextFileW,9_2_038D1D3C
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D40BA FindFirstFileW,FindNextFileW,9_2_038D40BA
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D3EFC FindFirstFileW,FindNextFileW,9_2_038D3EFC
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_038D2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,9_2_038D2054
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2098826618.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
                Source: 2391.exe, 00000005.00000003.2475752223.00000000042CF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 2391.exe, 00000005.00000002.2562969879.0000000001BCC000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520570901.0000000001BD1000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520134793.0000000001BCF000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000002.2562969879.0000000001BA7000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453152629.0000000001BD0000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000002.3970434621.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000003.3958456529.000000000063D000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000002.3970320501.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000003.3958611094.00000000005F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: GamePall.exe, 00000020.00000002.4056952188.0000000000A49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: GamePall.exe, 0000000C.00000002.3870561448.0000000000C13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0
                Source: explorer.exe, 00000002.00000000.2100290504.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
                Source: 2391.exe, 00000005.00000003.2475752223.00000000042CF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: explorer.exe, 00000002.00000000.2099568578.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000002.00000000.2100290504.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2100290504.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000002.00000000.2099568578.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 77CD.exe, 00000009.00000002.3287815346.00000000012CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(62
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: GamePall.exe, 0000000C.00000002.3870561448.0000000000C13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: explorer.exe, 00000002.00000000.2099568578.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2099568578.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
                Source: 2391.exe, 00000005.00000003.2475846012.00000000042C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: explorer.exe, 00000002.00000000.2098826618.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeAPI call chain: ExitProcess graph end nodegraph_8-3604
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C34383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00C34383
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_0278092B mov eax, dword ptr fs:[00000030h]0_2_0278092B
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_02780D90 mov eax, dword ptr fs:[00000030h]0_2_02780D90
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeCode function: 0_2_02974565 push dword ptr fs:[00000030h]0_2_02974565
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_027C092B mov eax, dword ptr fs:[00000030h]4_2_027C092B
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_027C0D90 mov eax, dword ptr fs:[00000030h]4_2_027C0D90
                Source: C:\Users\user\AppData\Roaming\deetubvCode function: 4_2_02852B7D push dword ptr fs:[00000030h]4_2_02852B7D
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C45891 GetProcessHeap,9_2_00C45891
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C34383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00C34383
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C30495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00C30495
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C306F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00C306F0
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C30622 SetUnhandledExceptionFilter,9_2_00C30622
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\explorer.exeFile created: 77CD.exe.2.drJump to dropped file
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 186.233.231.45 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 188.55.174.170 80Jump to behavior
                Creates a thread in another existing process (thread injection)
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeThread created: C:\Windows\explorer.exe EIP: 33419D0Jump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvThread created: unknown EIP: 83819D0Jump to behavior
                LummaC encrypted strings found
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: pedestriankodwu.xyz
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: towerxxuytwi.xyz
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: ellaboratepwsz.xyz
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: penetratedpoopp.xyz
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: swellfrrgwwos.xyz
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: contintnetksows.shop
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: foodypannyjsud.shop
                Source: 2391.exe, 00000005.00000002.2561482770.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: potterryisiw.shop
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\Desktop\OBbrO5rwew.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\deetubvSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3400 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3976 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4012 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329031925 --mojo-platform-channel-handle=4048 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329056479 --mojo-platform-channel-handle=4108 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3400 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3976 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4012 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329031925 --mojo-platform-channel-handle=4048 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329056479 --mojo-platform-channel-handle=4108 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3400 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3976 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4012 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329031925 --mojo-platform-channel-handle=4048 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 9; sm-j730g) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.122 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329056479 --mojo-platform-channel-handle=4108 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: explorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
                Source: explorer.exe, 00000002.00000000.2099270191.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: explorer.exe, 00000002.00000000.2099270191.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2100155432.0000000004B00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000002.00000000.2099270191.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000002.00000000.2099270191.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 00000002.00000000.2098826618.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C3013C cpuid 9_2_00C3013C
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_00C450DC
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: GetLocaleInfoW,9_2_00C3E096
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: EnumSystemLocalesW,9_2_00C45051
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: GetLocaleInfoW,9_2_00C4532F
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00C45458
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: GetLocaleInfoW,9_2_00C4555E
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00C45634
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: EnumSystemLocalesW,9_2_00C3DBC7
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,9_2_00C44CBF
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: EnumSystemLocalesW,9_2_00C44FB6
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: EnumSystemLocalesW,9_2_00C44F6B
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeCode function: 9_2_00C3038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00C3038F
                Source: C:\Users\user\AppData\Local\Temp\4CC4.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                Source: C:\Users\user\AppData\Local\Temp\2391.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: 2391.exe, 00000005.00000003.2538185151.0000000001C4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
                Source: 2391.exe, 00000005.00000003.2538185151.0000000001C4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\AppData\Local\Temp\2391.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 2391.exe PID: 4164, type: MEMORYSTR
                Yara detected Poverty Stealer
                Source: Yara matchFile source: 9.2.77CD.exe.13916e0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.38d0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.38d0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.1389fc0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.1389fc0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.13916e0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3287815346.0000000001338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 77CD.exe PID: 6208, type: MEMORYSTR
                Yara detected SmokeLoader
                Source: Yara matchFile source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2411803971.0000000002801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2411734866.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\ElectronCash\\wallets",
                Source: 2391.exe, 00000005.00000003.2520926542.0000000001C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/JAXX N
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
                Source: 2391.exe, 00000005.00000003.2520017106.0000000001C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Ethereum",
                Source: 2391.exe, 00000005.00000003.2520570901.0000000001BCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: 2391.exe, 00000005.00000003.2463379059.0000000001C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "m": ["keystore"],
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\77CD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2391.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: Yara matchFile source: 00000005.00000003.2520570901.0000000001BD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.2520134793.0000000001BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.2520926542.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2391.exe PID: 4164, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 2391.exe PID: 4164, type: MEMORYSTR
                Yara detected Poverty Stealer
                Source: Yara matchFile source: 9.2.77CD.exe.13916e0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.38d0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.38d0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.1389fc0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.1389fc0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.77CD.exe.13916e0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3287815346.0000000001338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 77CD.exe PID: 6208, type: MEMORYSTR
                Yara detected SmokeLoader
                Source: Yara matchFile source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2411803971.0000000002801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2411734866.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts11
                Native API                		1
                Windows Service                		1
                Access Token Manipulation                		111
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                File and Directory Discovery                		Remote Desktop Protocol31
                Data from Local System                		2
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		1
                Registry Run Keys / Startup Folder                		1
                Windows Service                		31
                Obfuscated Files or Information                		Security Account Manager137
                System Information Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                Command and Scripting Interpreter                		Login Hook312
                Process Injection                		12
                Software Packing                		NTDS651
                Security Software Discovery                		Distributed Component Object Model1
                Clipboard Data                		Protocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts1
                PowerShell                		Network Logon Script1
                Registry Run Keys / Startup Folder                		1
                Timestomp                		LSA Secrets241
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials3
                Process Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                File Deletion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Masquerading                		Proc Filesystem1
                Remote System Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Access Token Manipulation                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                Process Injection                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                Hidden Files and Directories                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466397 Sample: OBbrO5rwew.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for dropped file 2->102 104 10 other signatures 2->104 9 OBbrO5rwew.exe 2->9         started        12 deetubv 2->12         started        14 deetubv 2->14         started        process3 signatures4 134 Detected unpacking (changes PE section rights) 9->134 136 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->136 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->138 146 2 other signatures 9->146 16 explorer.exe 82 9 9->16 injected 140 Multi AV Scanner detection for dropped file 12->140 142 Maps a DLL or memory area into another process 12->142 144 Checks if the current machine is a virtual machine (disk enumeration) 12->144 21 GamePall.exe 12->21         started        process5 dnsIp6 84 185.68.16.7 UKRAINE-ASUA Ukraine 16->84 86 186.233.231.45 SolucaoNetworkProvedorLtdaBR Brazil 16->86 90 3 other IPs or domains 16->90 60 C:\Users\user\AppData\Roaming\deetubv, PE32 16->60 dropped 62 C:\Users\user\AppData\Local\Temp\77CD.exe, PE32 16->62 dropped 64 C:\Users\user\AppData\Local\Temp\4CC4.exe, PE32 16->64 dropped 66 2 other malicious files 16->66 dropped 106 System process connects to network (likely due to code injection or exploit) 16->106 108 Benign windows process drops PE files 16->108 110 Deletes itself after installation 16->110 112 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->112 23 4CC4.exe 3 35 16->23         started        27 2391.exe 16->27         started        30 77CD.exe 12 16->30         started        32 GamePall.exe 16->32         started        88 104.21.45.251 CLOUDFLARENETUS United States 21->88 114 Antivirus detection for dropped file 21->114 116 Machine Learning detection for dropped file 21->116 34 GamePall.exe 21->34         started        36 GamePall.exe 21->36         started        38 GamePall.exe 21->38         started        40 6 other processes 21->40 file7 signatures8 process9 dnsIp10 68 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 23->68 dropped 70 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 23->70 dropped 72 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 23->72 dropped 74 2 other files (none is malicious) 23->74 dropped 118 Antivirus detection for dropped file 23->118 120 Multi AV Scanner detection for dropped file 23->120 42 setup.exe 23->42         started        92 188.114.97.3 CLOUDFLARENETUS European Union 27->92 122 Query firmware table information (likely to detect VMs) 27->122 124 Machine Learning detection for dropped file 27->124 126 Found many strings related to Crypto-Wallets (likely being stolen) 27->126 132 3 other signatures 27->132 94 146.70.169.164 TENET-1ZA United Kingdom 30->94 96 104.192.141.1 AMAZON-02US United States 30->96 128 Found evasive API chain (may stop execution after checking mutex) 30->128 130 Tries to harvest and steal browser information (history, passwords, etc) 30->130 46 GamePall.exe 34->46         started        48 GamePall.exe 34->48         started        50 GamePall.exe 34->50         started        52 10 other processes 34->52 file11 signatures12 process13 file14 76 C:\Users\user\AppData\...\vulkan-1.dll, PE32 42->76 dropped 78 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 42->78 dropped 80 C:\Users\user\AppData\...\libGLESv2.dll, PE32 42->80 dropped 82 16 other files (13 malicious) 42->82 dropped 148 Antivirus detection for dropped file 42->148 54 GamePall.exe 46->54         started        56 GamePall.exe 46->56         started        58 GamePall.exe 48->58         started        signatures15 process16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                OBbrO5rwew.exe32%ReversingLabs
                OBbrO5rwew.exe100%AviraHEUR/AGEN.1318160
                OBbrO5rwew.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
                C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%AviraHEUR/AGEN.1352426
                C:\Users\user\AppData\Local\Temp\4CC4.exe100%AviraHEUR/AGEN.1359405
                C:\Users\user\AppData\Local\Temp\2391.exe100%AviraHEUR/AGEN.1313486
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat100%AviraHEUR/AGEN.1359405
                C:\Users\user\AppData\Roaming\GamePall\Del.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\77CD.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\2391.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat3%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Local\Temp\2391.exe50%ReversingLabsWin32.Trojan.Smokeloader
                C:\Users\user\AppData\Local\Temp\4CC4.exe21%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsc1466.tmp\liteFirewall.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\INetC.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\blowfish.dll5%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\nsProcess.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\setup.exe3%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Roaming\GamePall\Del.exe7%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\GamePall.exe3%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll3%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\libEGL.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\libcef.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\log4net.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\deetubv32%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://gebeus.ru/tmp/index.phptrue
                  http://cx5519.com/tmp/index.phptrue
                    contintnetksows.shoptrue
                      http://evilos.cc/tmp/index.phptrue
                        ellaboratepwsz.xyztrue
                          swellfrrgwwos.xyztrue
                            foodypannyjsud.shoptrue
                              pedestriankodwu.xyztrue
                                towerxxuytwi.xyztrue

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                    https://duckduckgo.com/chrome_newtab2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://duckduckgo.com/ac/?q=2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                        https://foodypannyjsud.shop/s2391.exe, 00000005.00000003.2520074910.0000000001C3B000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520017106.0000000001C36000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520270889.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2521024009.0000000001C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://support.google.com/chrome/answer/6098869setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                            https://www.google.com/chrome/privacy/eula_text.htmlsetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                              https://foodypannyjsud.shop/api82391.exe, 00000005.00000003.2453152629.0000000001BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLogGamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmpfalse
                                                    http://api.install-stat.debug.world/clients/activity=4PGamePall.exe, 00000020.00000002.4208742605.0000000002828000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      http://api.install-stat.debug.world/clients/activitynepGamePall.exe, 00000022.00000002.4150017697.00000000026B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://excel.office.comexplorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          http://crbug.com/510270nstA4F2.tmp.11.drfalse
                                                            https://chrome.google.com/webstore?hl=urCtrl$2setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              https://foodypannyjsud.shop/api(2391.exe, 00000005.00000002.2562969879.0000000001B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                http://crbug.com/378067nstA4F2.tmp.11.drfalse
                                                                  https://photos.google.com/settings?referrer=CHROME_NTPsetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlsetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      https://www.google.com/cloudprintnstA4F2.tmp.11.drfalse
                                                                        https://passwords.google.comsetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          http://crbug.com/497301nstA4F2.tmp.11.drfalse
                                                                            https://github.com/JamesNK/Newtonsoft.Json/issues/652nstA4F2.tmp.11.drfalse
                                                                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000000.2103529255.000000000C54A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd4CC4.exe, 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpfalse
                                                                                  https://foodypannyjsud.shop/piD;2391.exe, 00000005.00000002.2563727859.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2560718179.0000000001C37000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2561273713.0000000001C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      https://foodypannyjsud.shop/H2391.exe, 00000005.00000003.2487461963.0000000001C4C000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2487900415.0000000001C4C000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2485834775.0000000001C48000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2486360083.0000000001C4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        http://bageyou.xyzGamePall.exe, 00000014.00000002.3853013528.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000019.00000002.4179285444.0000000002458000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001B.00000002.4096840778.0000000002531000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.4235784260.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001E.00000002.4212461068.0000000002958000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001F.00000002.4139361869.0000000002511000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000020.00000002.4208742605.0000000002828000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000022.00000002.4150017697.00000000026B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          http://crbug.com/642141nstA4F2.tmp.11.drfalse
                                                                                            https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              https://bitbucket.org/77CD.exe, 00000009.00000002.3287815346.000000000130D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                https://foodypannyjsud.shop//2391.exe, 00000005.00000003.2463684320.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  https://foodypannyjsud.shop/piS2391.exe, 00000005.00000003.2463684320.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    https://foodypannyjsud.shop/42391.exe, 00000005.00000003.2463684320.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      https://support.google.com/chromebook?p=app_intentsetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        http://crbug.com/717501nstA4F2.tmp.11.drfalse
                                                                                                          http://crbug.com/957772nstA4F2.tmp.11.drfalse
                                                                                                            http://crbug.com/839189nstA4F2.tmp.11.drfalse
                                                                                                              https://chrome.google.com/webstorenstA4F2.tmp.11.drfalse
                                                                                                                https://foodypannyjsud.shop/6C2391.exe, 00000005.00000003.2538185151.0000000001C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    http://crl.rootca1.amazontrust.com/rootca1.crl02391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      http://ocsp.rootca1.amazontrust.com0:2391.exe, 00000005.00000003.2486443947.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3281328792.000000000AD08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        http://nsis.sf.net/NSIS_ErrorError4CC4.exe, 00000008.00000000.2529865800.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 4CC4.exe, 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000003.3704659140.000000000073C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3946768313.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3405429746.000000000040A000.00000008.00000001.01000000.0000000D.sdmpfalse
                                                                                                                          https://www.google.com/chrome/privacy/eula_text.html&setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            https://www.google.com/chrome/privacy/eula_text.htmlT&rsetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://www.ecosia.org/newtab/2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://xiexie.wf/22_551/huge.dat4CC4.exe, 00000008.00000003.2533160280.0000000003080000.00000004.00001000.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpfalse
                                                                                                                                  http://crbug.com/819404nstA4F2.tmp.11.drfalse
                                                                                                                                    https://outlook.comexplorer.exe, 00000002.00000000.2101745849.0000000009B79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br2391.exe, 00000005.00000003.2487519233.00000000043B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        http://crbug.com/514696nstA4F2.tmp.11.drfalse
                                                                                                                                          https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee77CD.exe, 00000009.00000002.3287815346.000000000130D000.00000004.00000020.00020000.00000000.sdmp, 77CD.exe, 00000009.00000002.3287815346.00000000012C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlsetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              https://foodypannyjsud.shop/apiK2391.exe, 00000005.00000003.2520926542.0000000001C32000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520134793.0000000001C32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                http://nsis.sf.net/NSIS_Error4CC4.exe, 4CC4.exe, 00000008.00000000.2529865800.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 4CC4.exe, 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000003.3704659140.000000000073C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3946768313.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3405429746.000000000040A000.00000008.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                  https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    https://chrome.google.com/webstore?hl=ukCtrl$1setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      https://foodypannyjsud.shop/pi6;2391.exe, 00000005.00000003.2538185151.0000000001C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.2100290504.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          http://api.install-stat.debug.world/clients/installsGamePall.exe, 0000001B.00000002.4096840778.0000000002531000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.4235784260.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001E.00000002.4212461068.0000000002958000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001F.00000002.4139361869.0000000002511000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000020.00000002.4208742605.0000000002828000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000022.00000002.4150017697.00000000026B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://www.newtonsoft.com/jsonschemanstA4F2.tmp.11.drfalse
                                                                                                                                                              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://support.google.com/chrome/a/answer/9122284setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74772391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://chrome.google.com/webstore/nstA4F2.tmp.11.drfalse
                                                                                                                                                                      https://foodypannyjsud.shop/ng2391.exe, 00000005.00000003.2520074910.0000000001C3B000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520017106.0000000001C36000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520270889.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2521024009.0000000001C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://www.google.com/nstA4F2.tmp.11.drfalse
                                                                                                                                                                            http://api.install-stat.debug.world/clients/activity=4GamePall.exe, 00000019.00000002.4179285444.0000000002458000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001F.00000002.4139361869.0000000002511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://chrome.google.com/webstore?hl=zh-CNCtrl$1setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000012.00000002.3803287436.0000000002B46000.00000002.00000001.01000000.00000011.sdmpfalse
                                                                                                                                                                                    https://word.office.comonexplorer.exe, 00000002.00000000.2101745849.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      http://xiexie.wf/4CC4.exe, 00000008.00000002.3970320501.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, 4CC4.exe, 00000008.00000003.3958611094.00000000005F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://foodypannyjsud.shop:443/apicrosoft2391.exe, 00000005.00000003.2520134793.0000000001BCF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://support.google.com/chrome/answer/6258784nstA4F2.tmp.11.drfalse
                                                                                                                                                                                            https://powerpoint.office.comcemberexplorer.exe, 00000002.00000000.2103529255.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi2391.exe, 00000005.00000003.2487900415.0000000001C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  http://crbug.com/775961nstA4F2.tmp.11.drfalse
                                                                                                                                                                                                    https://foodypannyjsud.shop/(((2391.exe, 00000005.00000003.2520017106.0000000001C4A000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2521024009.0000000001C4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://support.google.com/chrome/?p=plugin_flashnstA4F2.tmp.11.drfalse
                                                                                                                                                                                                        https://www.newtonsoft.com/jsonNewtonsoft.Json.dll.11.dr, nstA4F2.tmp.11.drfalse
                                                                                                                                                                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=2391.exe, 00000005.00000003.2465295788.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465123365.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2465051085.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 77CD.exe, 00000009.00000003.3271665033.000000000A2FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://codereview.chromium.org/25305002).nstA4F2.tmp.11.drfalse
                                                                                                                                                                                                              http://schemas.microexplorer.exe, 00000002.00000000.2100918561.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2101345345.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2101320512.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                http://api.install-stat.debug.world/clients/activityGamePall.exe, 0000001B.00000002.4096840778.0000000002531000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.4235784260.00000000023C8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001E.00000002.4212461068.0000000002958000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://chrome.google.com/webstore?hl=zh-TWCtrl$1setup.exe, 0000000B.00000002.3947775286.0000000002739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    http://www.apache.org/).GamePall.exe, 00000012.00000002.3799827521.0000000002B02000.00000002.00000001.01000000.00000011.sdmpfalse
                                                                                                                                                                                                                      https://foodypannyjsud.shop/api2391.exe, 00000005.00000003.2463379059.0000000001BCE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2453115813.0000000001BEE000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000003.2520134793.0000000001C32000.00000004.00000020.00020000.00000000.sdmp, 2391.exe, 00000005.00000002.2562969879.0000000001C30000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        186.233.231.45
                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                        		262675SolucaoNetworkProvedorLtdaBRtrue
                                                                                                                                                                                                                        104.192.141.1
                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                        188.114.97.3
                                                                                                                                                                                                                        		unknownEuropean Union
                                                                                                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                        141.8.192.126
                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                        		35278SPRINTHOSTRUtrue
                                                                                                                                                                                                                        104.21.45.251
                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                        188.55.174.170
                                                                                                                                                                                                                        		unknownSaudi Arabia
                                                                                                                                                                                                                        		25019SAUDINETSTC-ASSAtrue
                                                                                                                                                                                                                        185.68.16.7
                                                                                                                                                                                                                        		unknownUkraine
                                                                                                                                                                                                                        		200000UKRAINE-ASUAtrue
                                                                                                                                                                                                                        146.70.169.164
                                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                                        		2018TENET-1ZAtrue

                                                                                                                                                                                                                        Private

                                                                                                                                                                                                                        IP
                                                                                                                                                                                                                        127.0.0.127

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                        Analysis ID:1466397
                                                                                                                                                                                                                        Start date and time:2024-07-02 21:37:07 +02:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 17m 42s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:39
                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Sample name:OBbrO5rwew.exe
                                                                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                                                                        Original Sample Name:bdcf37dcbb1947e5a3f6145d47fc67e8.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@130/115@0/9
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 80%
                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                        • Successful, ratio: 54%
                                                                                                                                                                                                                        • Number of executed functions: 116
                                                                                                                                                                                                                        • Number of non-executed functions: 83
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Connection to analysis system has been lost, crash info: Unknown
                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                                        • Execution Graph export aborted for target 2391.exe, PID 4164 because there are no executed function
                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                        • VT rate limit hit for: OBbrO5rwew.exe

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        15:38:12API Interceptor135452x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                        15:38:39API Interceptor9x Sleep call for process: 2391.exe modified
                                                                                                                                                                                                                        15:40:48API Interceptor1x Sleep call for process: GamePall.exe modified
                                                                                                                                                                                                                        21:38:23Task SchedulerRun new task: Firefox Default Browser Agent 035AEF08518A8B33 path: C:\Users\user\AppData\Roaming\deetubv
                                                                                                                                                                                                                        21:40:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        21:40:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        186.233.231.45SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          104.192.141.1A662vmc5co.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/kennethoswald1/aoz918/downloads/LEraggt.exe
                                                                                                                                                                                                                          lahPWgosNP.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                          • bitbucket.org/alex222111/testproj/downloads/s7.exe
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets
                                                                                                                                                                                                                          Paid invoice.ppaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/Egjbp5/1b96dd9b300f88e62e18db3170d33bf037793d72/files/euromanmain
                                                                                                                                                                                                                          PO#1487958_10.ppaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal
                                                                                                                                                                                                                          Purchase Inquiry_pdf.ppaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                                                                                                                                                                                                                          Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                                                                                                                                                                                                                          188.114.97.3Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                          • www.oc7o0.top/2zff/?iHmHOtK=4L8xoD0W4Zo4sy88OPxzXkM4Et1OXrliZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7znic/DfJyEGJbg1Pv28u2ofuxZkWteJjYs=&L480=nFsp
                                                                                                                                                                                                                          30Fqen2Bu3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • filetransfer.io/data-package/TbaYPT0S/download
                                                                                                                                                                                                                          nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                          • www.coinwab.com/efdt/
                                                                                                                                                                                                                          hkLFB22XxS.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                          • www.cavetta.org.mt/yhnb/
                                                                                                                                                                                                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                          • filetransfer.io/data-package/mJcm5Gfa/download
                                                                                                                                                                                                                          http://url.usb.m.mimecastprotect.com/s/SPnzCDwVznT7kyA0HkOsZj?domain=linkscan.ioGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • emmalee.sa.com/favicon.ico
                                                                                                                                                                                                                          file.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                          • www.cavetta.org.mt/yhnb/
                                                                                                                                                                                                                          6Z4Q4bREii.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                          • 000366cm.nyashka.top/phpflowergenerator.php
                                                                                                                                                                                                                          DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                          • www.coinwab.com/efdt/
                                                                                                                                                                                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                          • www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd

                                                                                                                                                                                                                          Domains

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          CLOUDFLARENETUSBFdEJpuBS2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                          • 172.67.188.185
                                                                                                                                                                                                                          SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 172.67.221.174
                                                                                                                                                                                                                          SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                                                          The Siedenburg Group #24-051-553861 Project.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                                                          https://gcc.dcv.ms/i8Kf7mgiA8Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.17.25.14
                                                                                                                                                                                                                          https://kawak.com.coGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.16.117.116
                                                                                                                                                                                                                          pKqvOdh3Sv.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                          • 1.3.233.104
                                                                                                                                                                                                                          Informational-severity alert_ Creation of forwarding_redirect rule Case ID_FqJxoz8.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.21.234.235
                                                                                                                                                                                                                          https://glamis-house.com/?email=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 104.17.2.184
                                                                                                                                                                                                                          44zg1cvu.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                                                          SolucaoNetworkProvedorLtdaBRSecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 186.233.231.45
                                                                                                                                                                                                                          AMAZON-02USSecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 104.192.141.1
                                                                                                                                                                                                                          https://gcc.dcv.ms/i8Kf7mgiA8Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 99.86.4.109
                                                                                                                                                                                                                          https://kawak.com.coGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 18.245.175.102
                                                                                                                                                                                                                          pKqvOdh3Sv.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                          • 13.248.44.214
                                                                                                                                                                                                                          Informational-severity alert_ Creation of forwarding_redirect rule Case ID_FqJxoz8.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 18.239.36.14
                                                                                                                                                                                                                          https://www.google.fr/amp/s/www.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%25253A%25252F%25252Flinkprotect.cudasvc.com%25252Furl%25253Fa%25253Dhttps%25253A%25252F%25252Fnews4.thomasnet.com%25252Fwww%25252Fdelivery%25252Fck.php%25253Foaparams%2525253D2__bannerid%2525253D290840__zoneid%2525253D0__source%2525253D1740802%252525257C11236254%252525257C41282302%252525257C6812%252525257C41331406__cb%2525253Dc02ccb05f9__oadest%2525253Dhttps%252525253A%252525252F%252525252Flink.mail.beehiiv.com%252525252Fls%252525252Fclick%252525253Fupn%252525253Du001.FC1hxQg0vjMaKvj1drxxGuKT-2BG094DJrg2lg9-2FG-2BDn7QRAMLmBcxi2ye-2F-2F7EjbsbD9DxrNnwxFlLC7mBB4kmF9Nx5JHyuRngUXGjkpWEQMk4mRp9AFiVX7-2BZgaAF53RluGM8GCvkwmv5gqrtbtpF6mBCFN8Y8ck0o5BflBavB8KnfeGkHyaxX319ktcUVxlNdESJjXzDLf5cyamHA-2FAl3FGJEUNVdLj3d6ujL2-2BirPvOffPQu9FmPd5VwQPzHwZxJlTtdpVl8zMo7PAjQV9pr2NYeph8B-2B6kq7ZekkEo14FgtI93d9MoL7iDJlUFLG2v0GO0jtMba2TYCWyX067ildK9BsZpgx7VoGXvfn2aR2P02guuJmS1c5N-2BbzXRSlS4c696HSjsppgo-2BOOqCriMOIXyjax-2B2KzYoCwgmdn-2BDsaJxmCG4BMJzbVffDnvXmOnxU25pAq9xroVE9a-2B-2BIx8gj9NZG7wTTTit-2FcTg9Jd8YDZ6OZMbdlNIfc-2FRnXIjpMEn-2FjedF1-2BFG2ozJiRNKHIjXXPtDZELn2X-2BjgUu4MnIdo-3DnF4B_k5zaofJQ6PaDm4eQpA56e4xWG4OoVdk-2BXhZTssh6QwsCP88A0kMHGtSsxje-2F1AU30KTV7-2BlBTi6pp7PuMf4d7wqeQNN4Huw1SG4C0tuGL9gGqTiHWbC9BSRJjvmps05NaTwFMzBEVo0UJzya2meS-2FmVrnPkhcGc3biFSisVA2FWlcvIOk-2FijIsuLy2LdozK0ARg92NS7iou9bYRThT7sX-2FsV4yZCGeZVTBfuxTwGFJ9kuNvtlbJDKESs7aThJM2RUIAQikDXokYd0-2F6YOopU6iOGahHsqAPz-2F7OVsxEI2J-2Bil2Xp-2F-2BFswu2h7HFQlSpycpn1PSqpJxUXIra88-2FAf1BNT-2By7AQkINCI-2B8pSghycOQnELmGlM3zaTl3fTTOzHUw-2BR3I05pXXeGuubVfJSTfHxI-2Fr4GH471S-2FlKj3WIL5odUrBQ392yQ-2F33A8EMv8tnFWhIbI081ft6Uyhwh4jorg-3D-3D%252526c%25253DE%25252C1%25252C5bEVim247z1fGhtUhmYwbNu1H8iIZr4NrgaCfUxKZdTyuUxW48gwPUfsoILDy-FCjYA5-2MCgtJlXy5N3PAFAD47XFHidB4K4cNJC7Z-FhFR1P96vPVq%252526typo%25253D1%2526sa%253DD%2526sntz%253D1%2526usg%253DAOvVaw0dneiXzPs35uhkwcBAlGYI%26sa%3DD%26source%3Deditors%26ust%3D1718388339083604%26usg%3DAOvVaw0YeSdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 3.70.101.114
                                                                                                                                                                                                                          https://gdfhfrhjytyjgergeriub.s3.amazonaws.com/chbfheruferfurugyguergtrh.html?b7l4p0tja4clxoqqueb94n68km9zejnk9og9e375tjprevkxufihzx431kre0sztm#gkQXHjIaiEbUzctGHfTNblNcbhSMnE&4HKftVNygHV&126276/175/cwmxtbhvit.home.php?sq=1647-36924&lk=256436-21&page=041Get hashmaliciousPhisherBrowse
                                                                                                                                                                                                                          • 52.217.123.177
                                                                                                                                                                                                                          139_p.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 18.162.60.133
                                                                                                                                                                                                                          https://lnkd.in/e4hHCn_zGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 18.239.83.87
                                                                                                                                                                                                                          call_Playback_worthingtonindustries.com.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 76.223.111.18

                                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):107232830
                                                                                                                                                                                                                          Entropy (8bit):7.999946456161068
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                                                                                                                                                                                          MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                          SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                                                                                                                                                                                          SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                                                                                                                                                                                          SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\2391.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):6642176
                                                                                                                                                                                                                          Entropy (8bit):7.866419732571782
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
                                                                                                                                                                                                                          MD5:BD2EAC64CBDED877608468D86786594A
                                                                                                                                                                                                                          SHA1:778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
                                                                                                                                                                                                                          SHA-256:CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
                                                                                                                                                                                                                          SHA-512:3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\4CC4.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):293869
                                                                                                                                                                                                                          Entropy (8bit):5.61569579822855
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
                                                                                                                                                                                                                          MD5:60172CA946DE57C3529E9F05CC502870
                                                                                                                                                                                                                          SHA1:DE8F59D6973A5811BB10A9A4410801FA63BC8B56
                                                                                                                                                                                                                          SHA-256:42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
                                                                                                                                                                                                                          SHA-512:15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\77CD.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                          Size (bytes):578048
                                                                                                                                                                                                                          Entropy (8bit):6.297510031778876
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
                                                                                                                                                                                                                          MD5:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                                                                                                                                                                                          SHA1:7CC975D9FF785E269163897907D0B9B3CEE29956
                                                                                                                                                                                                                          SHA-256:544697A024ABAEA1B24EAA3D89869B2C8A4C1ACF96D4E152F5632D338D054C9E
                                                                                                                                                                                                                          SHA-512:D73CC4D911D9E61711B97CB9212D5BC93CB1B1314A39945934EB92239A31728FCCA7FEFBEC0143BAD915B0A7A6B93DF11D0AB7F559737AA7EC920BD24243FFFE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I..I..I...1..I...1...I...1..I..l...I..l...I..l....I...1..I..I...I..]...I..]...I..Rich.I..................PE..L...w;.f...............'.....\....................@.......................................@.....................................(................................2..Xh..p....................i.......g..@...............@............................text....~.......................... ..`.rdata..4...........................@..@.data...............................@....reloc...2.......4..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsc1466.tmp\liteFirewall.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):82944
                                                                                                                                                                                                                          Entropy (8bit):6.389604568119155
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                                                                                                                                                                                                                          MD5:165E1EF5C79475E8C33D19A870E672D4
                                                                                                                                                                                                                          SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                                                                                                                                                                                                                          SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                                                                                                                                                                                                                          SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\INetC.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22016
                                                                                                                                                                                                                          Entropy (8bit):5.668346578219837
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                                                                                                                                                                                                                          MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                                                                                                                                                                                                                          SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                                                                                                                                                                                                                          SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                                                                                                                                                                                                                          SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\blowfish.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22528
                                                                                                                                                                                                                          Entropy (8bit):6.674611218414922
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                                                                                                                                                                                                                          MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                                                                                                                                                                                                                          SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                                                                                                                                                                                                                          SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                                                                                                                                                                                                                          SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\nsProcess.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4608
                                                                                                                                                                                                                          Entropy (8bit):4.666004851298707
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                                                                                                                                                                                                          MD5:FAA7F034B38E729A983965C04CC70FC1
                                                                                                                                                                                                                          SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                                                                                                                                                                                                          SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                                                                                                                                                                                                          SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nstA4F2.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):358363995
                                                                                                                                                                                                                          Entropy (8bit):6.972150585647623
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
                                                                                                                                                                                                                          MD5:5F9D89B40243E83C0B48206CE4EB77D1
                                                                                                                                                                                                                          SHA1:477A019AB11E5793168B3E41D83B80A8AC8F1D43
                                                                                                                                                                                                                          SHA-256:2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
                                                                                                                                                                                                                          SHA-512:5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsx4AF0.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60466
                                                                                                                                                                                                                          Entropy (8bit):5.603640719549413
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:akqg31kqY3Q4Oc//////Q0LatojW/lX1Xb41:3qg323Sc//////Q3tojW/XXy
                                                                                                                                                                                                                          MD5:DE806154A80E3916669C466B6D001BD6
                                                                                                                                                                                                                          SHA1:B85BD0EC436125772A9C5403162628B7AAB35F49
                                                                                                                                                                                                                          SHA-256:10D9B7F2238EFFEB71990F979B9DFE4F3BE3D212B05232EF34C39F9578CC11E3
                                                                                                                                                                                                                          SHA-512:63CC5D6865C89AE2C41EEE3C76FD865D9461E96DBC570270982EB6DB5A15FB234098286CEE3FF9DB2255FEDA5207A222AB67743475AD60CCFD89A86B881BCB94
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:",......,..................."...|%......H+......",..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\setup.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):107232830
                                                                                                                                                                                                                          Entropy (8bit):7.999946456161068
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                                                                                                                                                                                          MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                          SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                                                                                                                                                                                          SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                                                                                                                                                                                          SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                          MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                          SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                          SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                          SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012096502606932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsEllllkXl:/M/6
                                                                                                                                                                                                                          MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                                                                                                                                                                                          SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                                                                                                                                                                                          SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                                                                                                                                                                                          SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                          MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                          SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                          SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                          SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                          MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                          SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                          SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                          SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):262512
                                                                                                                                                                                                                          Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:LsNlgJ/:Ls3
                                                                                                                                                                                                                          MD5:4325A7D88D881921839F94DE1440467C
                                                                                                                                                                                                                          SHA1:F48252678C96F6A1067476E8133401860AE9C17B
                                                                                                                                                                                                                          SHA-256:7388C9E46D29935DA53A6CA7F1DDEE85F6AB751C992238BBB0A5CE3E4BC54127
                                                                                                                                                                                                                          SHA-512:1F701863F7BA10D7175F89D1A51A749A209505E7A461AEA6A785AE9348162E17B656DE606159024B130B10DF634CDC7735F5F02230C123AF3DE0441C7267057B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........................................XP.z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Del.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):4.622398838808078
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
                                                                                                                                                                                                                          MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                                                                                                                                                                                                                          SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                                                                                                                                                                                                                          SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                                                                                                                                                                                                                          SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 7%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                          MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                          SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                          SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                          SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012096502606932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsEllllkXl:/M/6
                                                                                                                                                                                                                          MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                                                                                                                                                                                          SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                                                                                                                                                                                          SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                                                                                                                                                                                          SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                          MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                          SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                          SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                          SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                          MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                          SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                          SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                          SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):262512
                                                                                                                                                                                                                          Entropy (8bit):9.371990371861502E-4
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:LsNlGfu:Ls3
                                                                                                                                                                                                                          MD5:9EBEBE2FAE9DD46E7D68B9703E300FA2
                                                                                                                                                                                                                          SHA1:995F37A0ED77146A63037D7ABEAC239ABE5AD51C
                                                                                                                                                                                                                          SHA-256:E3DC5BC12E74BE29C3E1F46F7423079066944443606E9F27EB15199BAE7F1EE7
                                                                                                                                                                                                                          SHA-512:33EEC4AB42749CC677662BC091BC9FE336AFB830F823C694DD0ECC05BF97D07450AF22CCDDDCA01244D7729B45CF86535C56A5CF838A07C56A314F378209E620
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........................................XP.z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):296448
                                                                                                                                                                                                                          Entropy (8bit):5.660420770467009
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
                                                                                                                                                                                                                          MD5:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          SHA1:DA0D16BC66614C7D273C47F321C5EE0652FB5575
                                                                                                                                                                                                                          SHA-256:B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
                                                                                                                                                                                                                          SHA-512:258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):462336
                                                                                                                                                                                                                          Entropy (8bit):6.803831500359682
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
                                                                                                                                                                                                                          MD5:6DED8FCBF5F1D9E422B327CA51625E24
                                                                                                                                                                                                                          SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                                                                                                                                                                                                                          SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                                                                                                                                                                                                                          SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):574376
                                                                                                                                                                                                                          Entropy (8bit):5.8881470355864725
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
                                                                                                                                                                                                                          MD5:8F81C9520104B730C25D90A9DD511148
                                                                                                                                                                                                                          SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                                                                                                                                                                                                                          SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                                                                                                                                                                                                                          SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):561424
                                                                                                                                                                                                                          Entropy (8bit):4.606896607960262
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
                                                                                                                                                                                                                          MD5:928ED37DB61C1E98A2831C8C01F6157C
                                                                                                                                                                                                                          SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                                                                                                                                                                                                                          SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                                                                                                                                                                                                                          SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):215862
                                                                                                                                                                                                                          Entropy (8bit):5.849338245796311
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
                                                                                                                                                                                                                          MD5:9D21A25AA1B5985A2C8CBCE7F7007295
                                                                                                                                                                                                                          SHA1:86EBF56352B4DBB831FAE0CCA180B4ADD951240D
                                                                                                                                                                                                                          SHA-256:E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
                                                                                                                                                                                                                          SHA-512:EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):875520
                                                                                                                                                                                                                          Entropy (8bit):5.621956468920589
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
                                                                                                                                                                                                                          MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                                                                                                                                                                                                                          SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                                                                                                                                                                                                                          SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                                                                                                                                                                                                                          SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1946739
                                                                                                                                                                                                                          Entropy (8bit):7.989700491058983
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
                                                                                                                                                                                                                          MD5:96AD47D78A70B33158961585D9154ECC
                                                                                                                                                                                                                          SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                                                                                                                                                                                                                          SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                                                                                                                                                                                                                          SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):214119
                                                                                                                                                                                                                          Entropy (8bit):7.955451054538398
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
                                                                                                                                                                                                                          MD5:391F512173ECEC14EB5CE31299858DE1
                                                                                                                                                                                                                          SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                                                                                                                                                                                                                          SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                                                                                                                                                                                                                          SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):290001
                                                                                                                                                                                                                          Entropy (8bit):7.9670215100557735
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
                                                                                                                                                                                                                          MD5:BF59A047984EAFC79E40B0011ED4116D
                                                                                                                                                                                                                          SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                                                                                                                                                                                                                          SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                                                                                                                                                                                                                          SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1305142
                                                                                                                                                                                                                          Entropy (8bit):7.99463351416358
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
                                                                                                                                                                                                                          MD5:20DDA02AF522924E45223D7262D0E1ED
                                                                                                                                                                                                                          SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                                                                                                                                                                                                                          SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                                                                                                                                                                                                                          SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:current ar archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):87182312
                                                                                                                                                                                                                          Entropy (8bit):5.477474753748716
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
                                                                                                                                                                                                                          MD5:FFD456A85E341D430AFA0C07C1068538
                                                                                                                                                                                                                          SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                                                                                                                                                                                                                          SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                                                                                                                                                                                                                          SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):656926
                                                                                                                                                                                                                          Entropy (8bit):7.964275415195004
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
                                                                                                                                                                                                                          MD5:3404DD2B0E63D9418F755430336C7164
                                                                                                                                                                                                                          SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                                                                                                                                                                                                                          SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                                                                                                                                                                                                                          SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1017158
                                                                                                                                                                                                                          Entropy (8bit):7.951759131641406
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
                                                                                                                                                                                                                          MD5:3FBF52922588A52245DC927BCC36DBB3
                                                                                                                                                                                                                          SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                                                                                                                                                                                                                          SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                                                                                                                                                                                                                          SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1174528
                                                                                                                                                                                                                          Entropy (8bit):6.475826085865088
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
                                                                                                                                                                                                                          MD5:207AC4BE98A6A5A72BE027E0A9904462
                                                                                                                                                                                                                          SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                                                                                                                                                                                                                          SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                                                                                                                                                                                                                          SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2106216
                                                                                                                                                                                                                          Entropy (8bit):6.4563314852745375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
                                                                                                                                                                                                                          MD5:1C9B45E87528B8BB8CFA884EA0099A85
                                                                                                                                                                                                                          SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                                                                                                                                                                                                                          SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                                                                                                                                                                                                                          SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4127200
                                                                                                                                                                                                                          Entropy (8bit):6.577665867424953
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
                                                                                                                                                                                                                          MD5:3B4647BCB9FEB591C2C05D1A606ED988
                                                                                                                                                                                                                          SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                                                                                                                                                                                                                          SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                                                                                                                                                                                                                          SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2205743
                                                                                                                                                                                                                          Entropy (8bit):7.923318114432295
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
                                                                                                                                                                                                                          MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                                                                                                                                                                                                                          SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                                                                                                                                                                                                                          SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                                                                                                                                                                                                                          SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10717392
                                                                                                                                                                                                                          Entropy (8bit):6.282534560973548
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                                                                                                                                                                                          SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                                                                                                                                                                                          SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                                                                                                                                                                                          SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):377856
                                                                                                                                                                                                                          Entropy (8bit):6.602916265542373
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                                                                                                                                                                                                                          SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                                                                                                                                                                                                                          SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                                                                                                                                                                                                                          SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):6635008
                                                                                                                                                                                                                          Entropy (8bit):6.832077162910607
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:63988D35D7AB96823B5403BE3C110F7F
                                                                                                                                                                                                                          SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                                                                                                                                                                                                                          SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                                                                                                                                                                                                                          SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libcef.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):176517632
                                                                                                                                                                                                                          Entropy (8bit):7.025874989859836
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                                                                                                                                                                                                                          SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                                                                                                                                                                                                                          SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                                                                                                                                                                                                                          SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libcef.lib

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:current ar archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):40258
                                                                                                                                                                                                                          Entropy (8bit):4.547436244061504
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:310744A0E10BD9C2C6F50C525E4447F9
                                                                                                                                                                                                                          SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                                                                                                                                                                                                                          SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                                                                                                                                                                                                                          SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):470498
                                                                                                                                                                                                                          Entropy (8bit):5.409080468053459
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                                                                                                                                                                                                                          SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                                                                                                                                                                                                                          SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                                                                                                                                                                                                                          SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):763010
                                                                                                                                                                                                                          Entropy (8bit):4.909167677028143
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                                                                                                                                                                                                                          SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                                                                                                                                                                                                                          SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                                                                                                                                                                                                                          SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):838413
                                                                                                                                                                                                                          Entropy (8bit):4.920788245468804
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C70B71B05A8CA5B8243C951B96D67453
                                                                                                                                                                                                                          SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                                                                                                                                                                                                                          SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                                                                                                                                                                                                                          SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):869469
                                                                                                                                                                                                                          Entropy (8bit):4.677916300869337
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:12A9400F521EC1D3975257B2061F5790
                                                                                                                                                                                                                          SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                                                                                                                                                                                                                          SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                                                                                                                                                                                                                          SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1118348
                                                                                                                                                                                                                          Entropy (8bit):4.2989199535081895
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:89A24AF99D5592AB8964B701F13E1706
                                                                                                                                                                                                                          SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                                                                                                                                                                                                                          SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                                                                                                                                                                                                                          SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):537139
                                                                                                                                                                                                                          Entropy (8bit):5.397688491907634
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:37B54705BD9620E69E7E9305CDFAC7AB
                                                                                                                                                                                                                          SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                                                                                                                                                                                                                          SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                                                                                                                                                                                                                          SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):545011
                                                                                                                                                                                                                          Entropy (8bit):5.844949195905198
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:65A2C2A73232AB1073E44E0FB6310A5F
                                                                                                                                                                                                                          SHA1:F3158AA527538819C93F57E2C778198A94416C98
                                                                                                                                                                                                                          SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                                                                                                                                                                                                                          SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):496165
                                                                                                                                                                                                                          Entropy (8bit):5.446061543230436
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A44EC6AAA456A6129FD820CA75E968BE
                                                                                                                                                                                                                          SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                                                                                                                                                                                                                          SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                                                                                                                                                                                                                          SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):534726
                                                                                                                                                                                                                          Entropy (8bit):5.49306456316532
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:49CA708EBB7A4913C36F7461F094886B
                                                                                                                                                                                                                          SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                                                                                                                                                                                                                          SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                                                                                                                                                                                                                          SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):950999
                                                                                                                                                                                                                          Entropy (8bit):4.76377388695373
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                                                                                                                                                                                                                          SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                                                                                                                                                                                                                          SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                                                                                                                                                                                                                          SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):430665
                                                                                                                                                                                                                          Entropy (8bit):5.517246002357965
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                                                                                                                                                                                                                          SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                                                                                                                                                                                                                          SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                                                                                                                                                                                                                          SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):434598
                                                                                                                                                                                                                          Entropy (8bit):5.509004494756697
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                                                                                                                                                                                                                          SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                                                                                                                                                                                                                          SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                                                                                                                                                                                                                          SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):524728
                                                                                                                                                                                                                          Entropy (8bit):5.377464936206393
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                                                                                                                                                                                                                          SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                                                                                                                                                                                                                          SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                                                                                                                                                                                                                          SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):523181
                                                                                                                                                                                                                          Entropy (8bit):5.356449408331279
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3D1720FE1D801D54420438A54CBE1547
                                                                                                                                                                                                                          SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                                                                                                                                                                                                                          SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                                                                                                                                                                                                                          SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):475733
                                                                                                                                                                                                                          Entropy (8bit):5.456553040437113
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C00D66D3FD4FD9D777949E2F115F11FB
                                                                                                                                                                                                                          SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                                                                                                                                                                                                                          SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                                                                                                                                                                                                                          SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):773397
                                                                                                                                                                                                                          Entropy (8bit):5.04618630633187
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C998140F7970B81117B073A87430A748
                                                                                                                                                                                                                          SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                                                                                                                                                                                                                          SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                                                                                                                                                                                                                          SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):483378
                                                                                                                                                                                                                          Entropy (8bit):5.428549632880935
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1CFD31A6B740D95E4D5D53432743EBF1
                                                                                                                                                                                                                          SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                                                                                                                                                                                                                          SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                                                                                                                                                                                                                          SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):546749
                                                                                                                                                                                                                          Entropy (8bit):5.197094281578282
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                                                                                                                                                                                                                          SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                                                                                                                                                                                                                          SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                                                                                                                                                                                                                          SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):568277
                                                                                                                                                                                                                          Entropy (8bit):5.380723339968972
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:D185162DF4CAC9DCE7D70926099D1CF1
                                                                                                                                                                                                                          SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                                                                                                                                                                                                                          SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                                                                                                                                                                                                                          SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1103776
                                                                                                                                                                                                                          Entropy (8bit):4.336526106451521
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:44F704DB17F0203FA5195DC4572C946C
                                                                                                                                                                                                                          SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                                                                                                                                                                                                                          SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                                                                                                                                                                                                                          SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):681555
                                                                                                                                                                                                                          Entropy (8bit):4.658620623200349
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:E75086A24ECAA25CD18D547AB041C65A
                                                                                                                                                                                                                          SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                                                                                                                                                                                                                          SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                                                                                                                                                                                                                          SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1167065
                                                                                                                                                                                                                          Entropy (8bit):4.308980564019689
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                                                                                                                                                                                                                          SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                                                                                                                                                                                                                          SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                                                                                                                                                                                                                          SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):526575
                                                                                                                                                                                                                          Entropy (8bit):5.518614920030561
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:0BD2F9847C151F9A6FC0D59A0074770C
                                                                                                                                                                                                                          SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                                                                                                                                                                                                                          SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                                                                                                                                                                                                                          SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):566819
                                                                                                                                                                                                                          Entropy (8bit):5.6387082185760935
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                                                                                                                                                                                                                          SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                                                                                                                                                                                                                          SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                                                                                                                                                                                                                          SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):466959
                                                                                                                                                                                                                          Entropy (8bit):5.379636778781472
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1466C484179769A2263542E943742E59
                                                                                                                                                                                                                          SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                                                                                                                                                                                                                          SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                                                                                                                                                                                                                          SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):522800
                                                                                                                                                                                                                          Entropy (8bit):5.284113957149261
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7767A70358D0AE6D408FF979DF9B2CD4
                                                                                                                                                                                                                          SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                                                                                                                                                                                                                          SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                                                                                                                                                                                                                          SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):634636
                                                                                                                                                                                                                          Entropy (8bit):5.718480148171718
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4A4AF69546DCF65F2D722A574E221BEA
                                                                                                                                                                                                                          SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                                                                                                                                                                                                                          SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                                                                                                                                                                                                                          SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1256908
                                                                                                                                                                                                                          Entropy (8bit):4.247594585839553
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                                                                                                                                                                                                                          SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                                                                                                                                                                                                                          SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                                                                                                                                                                                                                          SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):532715
                                                                                                                                                                                                                          Entropy (8bit):6.0824169765918725
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:5FD9942F57FFC499481947DB0C3FDFA7
                                                                                                                                                                                                                          SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                                                                                                                                                                                                                          SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                                                                                                                                                                                                                          SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):573015
                                                                                                                                                                                                                          Entropy (8bit):5.63016577624216
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8745B87D09D9ECC1112C60F5DD934034
                                                                                                                                                                                                                          SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                                                                                                                                                                                                                          SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                                                                                                                                                                                                                          SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):570683
                                                                                                                                                                                                                          Entropy (8bit):5.624052036286866
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:E16B0B814074ACBD3A72AF677AC7BE84
                                                                                                                                                                                                                          SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                                                                                                                                                                                                                          SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                                                                                                                                                                                                                          SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1307271
                                                                                                                                                                                                                          Entropy (8bit):4.279854356980692
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:309E068B4E15157486D095301370B234
                                                                                                                                                                                                                          SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                                                                                                                                                                                                                          SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                                                                                                                                                                                                                          SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1075591
                                                                                                                                                                                                                          Entropy (8bit):4.313573412022857
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                                                                                                                                                                                                                          SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                                                                                                                                                                                                                          SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                                                                                                                                                                                                                          SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):489457
                                                                                                                                                                                                                          Entropy (8bit):5.250540323172458
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A1253E64F8910162B15B56883798E3C0
                                                                                                                                                                                                                          SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                                                                                                                                                                                                                          SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                                                                                                                                                                                                                          SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):476208
                                                                                                                                                                                                                          Entropy (8bit):5.4272499712806965
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:622ED80836E0EF3F949ED8A379CBE6DF
                                                                                                                                                                                                                          SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                                                                                                                                                                                                                          SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                                                                                                                                                                                                                          SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):491139
                                                                                                                                                                                                                          Entropy (8bit):5.362822162782947
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C8378A81039DB6943F97286CC8C629F1
                                                                                                                                                                                                                          SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                                                                                                                                                                                                                          SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                                                                                                                                                                                                                          SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):550453
                                                                                                                                                                                                                          Entropy (8bit):5.757462673735937
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:80C5893068C1D6CE9AEF23525ECAD83C
                                                                                                                                                                                                                          SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                                                                                                                                                                                                                          SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                                                                                                                                                                                                                          SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):516256
                                                                                                                                                                                                                          Entropy (8bit):5.426294949123783
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3BA426E91C34E1C33F13912974835F7D
                                                                                                                                                                                                                          SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                                                                                                                                                                                                                          SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                                                                                                                                                                                                                          SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):518861
                                                                                                                                                                                                                          Entropy (8bit):5.4029194034596575
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4D7D724BE592BD0280ED28388EAA8D43
                                                                                                                                                                                                                          SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                                                                                                                                                                                                                          SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                                                                                                                                                                                                                          SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):537125
                                                                                                                                                                                                                          Entropy (8bit):5.4566742297332596
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                                                                                                                                                                                                                          SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                                                                                                                                                                                                                          SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                                                                                                                                                                                                                          SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):878725
                                                                                                                                                                                                                          Entropy (8bit):4.848685093578222
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3A3D0D865A78399306924D3ED058274E
                                                                                                                                                                                                                          SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                                                                                                                                                                                                                          SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                                                                                                                                                                                                                          SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):553886
                                                                                                                                                                                                                          Entropy (8bit):5.812150703289796
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A9656846F66A36BB399B65F7B702B47D
                                                                                                                                                                                                                          SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                                                                                                                                                                                                                          SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                                                                                                                                                                                                                          SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):532410
                                                                                                                                                                                                                          Entropy (8bit):5.486224954097277
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                                                                                                                                                                                                                          SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                                                                                                                                                                                                                          SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                                                                                                                                                                                                                          SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):818089
                                                                                                                                                                                                                          Entropy (8bit):4.779985663253385
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                                                                                                                                                                                                                          SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                                                                                                                                                                                                                          SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                                                                                                                                                                                                                          SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):479512
                                                                                                                                                                                                                          Entropy (8bit):5.541069475898216
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:09592A0D35100CD9707C278C9FFC7618
                                                                                                                                                                                                                          SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                                                                                                                                                                                                                          SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                                                                                                                                                                                                                          SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):504856
                                                                                                                                                                                                                          Entropy (8bit):5.34516819438501
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:9E038A0D222055FED6F1883992DCA5A8
                                                                                                                                                                                                                          SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                                                                                                                                                                                                                          SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                                                                                                                                                                                                                          SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1298313
                                                                                                                                                                                                                          Entropy (8bit):4.058495187693592
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:36104CB0D5E26E0BBB313E529C14F4B4
                                                                                                                                                                                                                          SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                                                                                                                                                                                                                          SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                                                                                                                                                                                                                          SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1199612
                                                                                                                                                                                                                          Entropy (8bit):4.314031920337284
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:98714389748A98ECC536CD2F17859BDF
                                                                                                                                                                                                                          SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                                                                                                                                                                                                                          SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                                                                                                                                                                                                                          SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1008989
                                                                                                                                                                                                                          Entropy (8bit):4.356501290091745
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:56F29DE3465795E781A52FCF736BBE08
                                                                                                                                                                                                                          SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                                                                                                                                                                                                                          SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                                                                                                                                                                                                                          SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):515329
                                                                                                                                                                                                                          Entropy (8bit):5.616482888977033
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:46CA9EE922C3C175DE466066F40B29CE
                                                                                                                                                                                                                          SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                                                                                                                                                                                                                          SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                                                                                                                                                                                                                          SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):876131
                                                                                                                                                                                                                          Entropy (8bit):4.88404350774067
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1365ABDD1EFB44720EA3975E4A472530
                                                                                                                                                                                                                          SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                                                                                                                                                                                                                          SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                                                                                                                                                                                                                          SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):765853
                                                                                                                                                                                                                          Entropy (8bit):5.17061834928747
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3FED15E64BEAFBA75DE61B08A45AE106
                                                                                                                                                                                                                          SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                                                                                                                                                                                                                          SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                                                                                                                                                                                                                          SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):609259
                                                                                                                                                                                                                          Entropy (8bit):5.796202390024141
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:CD741C24AF7597E0DC11069D3AC324E0
                                                                                                                                                                                                                          SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                                                                                                                                                                                                                          SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                                                                                                                                                                                                                          SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):441207
                                                                                                                                                                                                                          Entropy (8bit):6.685712707138377
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:99E6ACFB46923C4F8B29058E9EE6166B
                                                                                                                                                                                                                          SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                                                                                                                                                                                                                          SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                                                                                                                                                                                                                          SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):439630
                                                                                                                                                                                                                          Entropy (8bit):6.6906570508767995
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:BB7C995F257B9125457381BB01856D72
                                                                                                                                                                                                                          SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                                                                                                                                                                                                                          SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                                                                                                                                                                                                                          SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\log4net.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):275968
                                                                                                                                                                                                                          Entropy (8bit):5.778490068583466
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                                                                                                                                                                                                                          SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                                                                                                                                                                                                                          SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                                                                                                                                                                                                                          SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\log4net.xml

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1547797
                                                                                                                                                                                                                          Entropy (8bit):4.370092880615517
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:32AB4E0A9A82245EE3B474EF811F558F
                                                                                                                                                                                                                          SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                                                                                                                                                                                                                          SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                                                                                                                                                                                                                          SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):342741
                                                                                                                                                                                                                          Entropy (8bit):5.496697631795104
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                                                                                                                                                                                                                          SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                                                                                                                                                                                                                          SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                                                                                                                                                                                                                          SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\resources.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8226870
                                                                                                                                                                                                                          Entropy (8bit):7.996842728494533
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:F7EC58AEA756F3FD8A055AC582103A78
                                                                                                                                                                                                                          SHA1:086B63691F5E5375A537E99E062345F56512A22C
                                                                                                                                                                                                                          SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                                                                                                                                                                                                                          SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):276319
                                                                                                                                                                                                                          Entropy (8bit):4.242318669799302
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8234983533FA47D2A1D7710FF8274299
                                                                                                                                                                                                                          SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                                                                                                                                                                                                                          SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                                                                                                                                                                                                                          SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\start.bat

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                                                          Entropy (8bit):3.8731406795131327
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:2C66F3C2190A84FAFD4449DAF6440EAC
                                                                                                                                                                                                                          SHA1:7B9E4C94329FE26C34E63AB8336227FD5EB553E9
                                                                                                                                                                                                                          SHA-256:58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
                                                                                                                                                                                                                          SHA-512:62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:start GamePall.exe OuWe5kl

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:MSVC program database ver 7.00, 512*4023 bytes
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2059776
                                                                                                                                                                                                                          Entropy (8bit):4.067542396670122
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                                                                                                                                                                                                                          SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                                                                                                                                                                                                                          SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                                                                                                                                                                                                                          SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):346624
                                                                                                                                                                                                                          Entropy (8bit):6.54104466243173
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                                                                                                                                                                                                                          SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                                                                                                                                                                                                                          SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                                                                                                                                                                                                                          SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2445312
                                                                                                                                                                                                                          Entropy (8bit):6.750207745422387
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:334C3157E63A34B22CCE25A44A04835F
                                                                                                                                                                                                                          SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                                                                                                                                                                                                                          SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                                                                                                                                                                                                                          SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):631017
                                                                                                                                                                                                                          Entropy (8bit):5.144793130466209
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                                                                                                                                                                                                                          SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                                                                                                                                                                                                                          SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                                                                                                                                                                                                                          SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4400640
                                                                                                                                                                                                                          Entropy (8bit):6.667314807988382
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7F913E31D00082338F073EF60D67B335
                                                                                                                                                                                                                          SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                                                                                                                                                                                                                          SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                                                                                                                                                                                                                          SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):106
                                                                                                                                                                                                                          Entropy (8bit):4.724752649036734
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                                                          SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                                                          SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                                                          SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):826368
                                                                                                                                                                                                                          Entropy (8bit):6.78646032943732
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A031EB19C61942A26EF74500AD4B42DF
                                                                                                                                                                                                                          SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                                                                                                                                                                                                                          SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                                                                                                                                                                                                                          SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):211456
                                                                                                                                                                                                                          Entropy (8bit):6.566524833521835
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:6D7FD214164C858BBCF4AA050C114E8C
                                                                                                                                                                                                                          SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                                                                                                                                                                                                                          SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                                                                                                                                                                                                                          SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\deetubv

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):176640
                                                                                                                                                                                                                          Entropy (8bit):6.497917412032352
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:BDCF37DCBB1947E5A3F6145D47FC67E8
                                                                                                                                                                                                                          SHA1:CEE0CF2EAF723C8980CE2F85B882F78BE880DA08
                                                                                                                                                                                                                          SHA-256:37E6E5D8B399FEFB9AE774516FF6367E800C69A272E18A654BB84CCFF2D7C67A
                                                                                                                                                                                                                          SHA-512:35F2BC215BB311D763A45A741FFF101DCDC2CD05171377C1041B3950D373CE06082BC9D6E7869407277BE75062531E57428D04AE1CF02F72AD4BDEDECE220D48
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.............................{..<.........v.......................Rich...........PE..L.....2d.................l...80...................@...........................1......u......................................|...x.....0..............................................................................................................text....k.......l.................. ..`.rdata..\ ......."...p..............@..@.data...H...........................@....rsrc.........0.....................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\deetubv:Zone.Identifier

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Entropy (8bit):6.497917412032352
                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                          File name:OBbrO5rwew.exe
                                                                                                                                                                                                                          File size:176'640 bytes
                                                                                                                                                                                                                          MD5:bdcf37dcbb1947e5a3f6145d47fc67e8
                                                                                                                                                                                                                          SHA1:cee0cf2eaf723c8980ce2f85b882f78be880da08
                                                                                                                                                                                                                          SHA256:37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a
                                                                                                                                                                                                                          SHA512:35f2bc215bb311d763a45a741fff101dcdc2cd05171377c1041b3950d373ce06082bc9d6e7869407277be75062531e57428d04ae1cf02f72ad4bdedece220d48
                                                                                                                                                                                                                          SSDEEP:3072:LG51L3RDkzFnZhvrDYr/oQT5PJiZ+39a1KuU3:651L3RYFr/ib+43h7
                                                                                                                                                                                                                          TLSH:6404051976F29126EFF79B312A70A7D41A3FBC736E70818E3690325E1E336918961713
                                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._...................................{...<...........v...........................Rich............PE..L.....2d.................l.

                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                          Icon Hash:cb97334d5151599a

                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Entrypoint:0x401908
                                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                          Time Stamp:0x6432F3A6 [Sun Apr 9 17:19:34 2023 UTC]
                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                                                          File Version Major:5
                                                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                                                          Import Hash:039b1745d3ec0d69297e0716539e775c

                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                          call 00007F6C78B0E0B5h
                                                                                                                                                                                                                          jmp 00007F6C78B0A37Eh
                                                                                                                                                                                                                          mov edi, edi
                                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                                                          sub esp, 00000328h
                                                                                                                                                                                                                          mov dword ptr [0041C918h], eax
                                                                                                                                                                                                                          mov dword ptr [0041C914h], ecx
                                                                                                                                                                                                                          mov dword ptr [0041C910h], edx
                                                                                                                                                                                                                          mov dword ptr [0041C90Ch], ebx
                                                                                                                                                                                                                          mov dword ptr [0041C908h], esi
                                                                                                                                                                                                                          mov dword ptr [0041C904h], edi
                                                                                                                                                                                                                          mov word ptr [0041C930h], ss
                                                                                                                                                                                                                          mov word ptr [0041C924h], cs
                                                                                                                                                                                                                          mov word ptr [0041C900h], ds
                                                                                                                                                                                                                          mov word ptr [0041C8FCh], es
                                                                                                                                                                                                                          mov word ptr [0041C8F8h], fs
                                                                                                                                                                                                                          mov word ptr [0041C8F4h], gs
                                                                                                                                                                                                                          pushfd
                                                                                                                                                                                                                          pop dword ptr [0041C928h]
                                                                                                                                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                          mov dword ptr [0041C91Ch], eax
                                                                                                                                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                          mov dword ptr [0041C920h], eax
                                                                                                                                                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                          mov dword ptr [0041C92Ch], eax
                                                                                                                                                                                                                          mov eax, dword ptr [ebp-00000320h]
                                                                                                                                                                                                                          mov dword ptr [0041C868h], 00010001h
                                                                                                                                                                                                                          mov eax, dword ptr [0041C920h]
                                                                                                                                                                                                                          mov dword ptr [0041C81Ch], eax
                                                                                                                                                                                                                          mov dword ptr [0041C810h], C0000409h
                                                                                                                                                                                                                          mov dword ptr [0041C814h], 00000001h
                                                                                                                                                                                                                          mov eax, dword ptr [0041B004h]
                                                                                                                                                                                                                          mov dword ptr [ebp-00000328h], eax
                                                                                                                                                                                                                          mov eax, dword ptr [0041B008h]
                                                                                                                                                                                                                          mov dword ptr [ebp-00000324h], eax
                                                                                                                                                                                                                          call dword ptr [000000A8h]

                                                                                                                                                                                                                          Rich Headers

                                                                                                                                                                                                                          Programming Language:
                                                                                                                                                                                                                          • [C++] VS2008 build 21022
                                                                                                                                                                                                                          • [ASM] VS2008 build 21022
                                                                                                                                                                                                                          • [ C ] VS2008 build 21022
                                                                                                                                                                                                                          • [IMP] VS2005 build 50727
                                                                                                                                                                                                                          • [RES] VS2008 build 21022
                                                                                                                                                                                                                          • [LNK] VS2008 build 21022

                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1977c0x78.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x23080000x101d8.rsrc
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x180000x188.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                          .text0x10000x16b950x16c0027886a910aaa5c86fde1286e7ef805aeFalse0.8052240728021978data7.51076247482441IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .rdata0x180000x205c0x2200b0afdcaf230125e7427da6670d999249False0.3469669117647059data5.370789616483129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .data0x1b0000x22ec5480x1e006700f5cad4699e8b08318c7bd15f6570unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .rsrc0x23080000x101d80x1020020844ac84c5ebe663df9e00041409879False0.45856044089147285data4.994971003492956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                          NUSUTUMA0x230ef080x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6277013752455796
                                                                                                                                                                                                                          RT_CURSOR0x230f3080x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                                                                                                                                          RT_CURSOR0x230f4380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                                                                                                                                          RT_ICON0x23086d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6103411513859275
                                                                                                                                                                                                                          RT_ICON0x23095780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6917870036101083
                                                                                                                                                                                                                          RT_ICON0x2309e200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7540322580645161
                                                                                                                                                                                                                          RT_ICON0x230a4e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7940751445086706
                                                                                                                                                                                                                          RT_ICON0x230aa500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5950207468879668
                                                                                                                                                                                                                          RT_ICON0x230cff80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.7281894934333959
                                                                                                                                                                                                                          RT_ICON0x230e0a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.7364754098360655
                                                                                                                                                                                                                          RT_ICON0x230ea280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8847517730496454
                                                                                                                                                                                                                          RT_STRING0x2311bb80xaadata0.611764705882353
                                                                                                                                                                                                                          RT_STRING0x2311c680x6edata0.6
                                                                                                                                                                                                                          RT_STRING0x2311cd80x6b2data0.4305717619603267
                                                                                                                                                                                                                          RT_STRING0x23123900x688data0.4342105263157895
                                                                                                                                                                                                                          RT_STRING0x2312a180x6a4data0.42764705882352944
                                                                                                                                                                                                                          RT_STRING0x23130c00x202data0.5019455252918288
                                                                                                                                                                                                                          RT_STRING0x23132c80x6a4data0.42705882352941177
                                                                                                                                                                                                                          RT_STRING0x23139700x6d8data0.4297945205479452
                                                                                                                                                                                                                          RT_STRING0x23140480x7e0data0.42162698412698413
                                                                                                                                                                                                                          RT_STRING0x23148280x71adata0.42684268426842686
                                                                                                                                                                                                                          RT_STRING0x2314f480x698data0.4277251184834123
                                                                                                                                                                                                                          RT_STRING0x23155e00x798data0.4202674897119342
                                                                                                                                                                                                                          RT_STRING0x2315d780x6dcdata0.4299544419134396
                                                                                                                                                                                                                          RT_STRING0x23164580x82cdata0.41634799235181646
                                                                                                                                                                                                                          RT_STRING0x2316c880x672data0.44
                                                                                                                                                                                                                          RT_STRING0x23173000x752data0.4247598719316969
                                                                                                                                                                                                                          RT_STRING0x2317a580x724data0.424507658643326
                                                                                                                                                                                                                          RT_STRING0x23181800x52data0.6585365853658537
                                                                                                                                                                                                                          RT_GROUP_CURSOR0x23119e00x22data1.088235294117647
                                                                                                                                                                                                                          RT_GROUP_ICON0x230ee900x76dataTurkishTurkey0.6610169491525424
                                                                                                                                                                                                                          RT_VERSION0x2311a080x1b0data0.5972222222222222

                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                          KERNEL32.dllSetVolumeMountPointW, GetComputerNameW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, lstrcpynW, WriteConsoleW, GetModuleFileNameW, GetConsoleAliasesW, CreateJobObjectW, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, AreFileApisANSI, OpenJobObjectA, ZombifyActCtx, GetLastError, GetConsoleAliasExesLengthA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
                                                                                                                                                                                                                          GDI32.dllGetBoundsRect
                                                                                                                                                                                                                          ADVAPI32.dllEnumDependentServicesA
                                                                                                                                                                                                                          ole32.dllCoTaskMemRealloc
                                                                                                                                                                                                                          WINHTTP.dllWinHttpAddRequestHeaders

                                                                                                                                                                                                                          Possible Origin

                                                                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                          TurkishTurkey

                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                          Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                          Start time:15:37:52
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\OBbrO5rwew.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\OBbrO5rwew.exe"
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:176'640 bytes
                                                                                                                                                                                                                          MD5 hash:BDCF37DCBB1947E5A3F6145D47FC67E8
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2113001680.0000000002971000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2112668303.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2112742292.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2112462059.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                          Start time:15:38:04
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                          Imagebase:0x7ff674740000
                                                                                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                          Start time:15:38:23
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\deetubv
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\deetubv
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:176'640 bytes
                                                                                                                                                                                                                          MD5 hash:BDCF37DCBB1947E5A3F6145D47FC67E8
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2411803971.0000000002801000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2411803971.0000000002801000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2411670729.00000000027C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2411734866.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2411734866.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2411929335.0000000002850000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 32%, ReversingLabs
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                          Start time:15:38:37
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\2391.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\2391.exe
                                                                                                                                                                                                                          Imagebase:0xd80000
                                                                                                                                                                                                                          File size:6'642'176 bytes
                                                                                                                                                                                                                          MD5 hash:BD2EAC64CBDED877608468D86786594A
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2520570901.0000000001BD1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2520134793.0000000001BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2520926542.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                          • Detection: 50%, ReversingLabs
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                          Start time:15:38:47
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:293'869 bytes
                                                                                                                                                                                                                          MD5 hash:60172CA946DE57C3529E9F05CC502870
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 21%, ReversingLabs
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                          Start time:15:38:54
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\77CD.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\77CD.exe
                                                                                                                                                                                                                          Imagebase:0xbd0000
                                                                                                                                                                                                                          File size:578'048 bytes
                                                                                                                                                                                                                          MD5 hash:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3287815346.0000000001338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                          Start time:15:40:01
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\deetubv
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\deetubv
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:176'640 bytes
                                                                                                                                                                                                                          MD5 hash:BDCF37DCBB1947E5A3F6145D47FC67E8
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                          Start time:15:40:14
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:107'232'830 bytes
                                                                                                                                                                                                                          MD5 hash:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                          Start time:15:40:44
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Imagebase:0x4a0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                          Start time:15:40:49
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3400 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                                                                                                                                                                                                                          Imagebase:0xae0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                          Start time:15:40:49
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3976 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                                                                                                                                                                                          Imagebase:0xd70000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                          Start time:15:40:49
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4012 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                                                                                                                                                                                          Imagebase:0x780000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                          Start time:15:40:49
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329031925 --mojo-platform-channel-handle=4048 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                                                                                                                                                                                          Imagebase:0x230000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                          Start time:15:40:49
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 9; SM-J730G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.122 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719944520561396 --launch-time-ticks=5329056479 --mojo-platform-channel-handle=4108 --field-trial-handle=3412,i,12963406170679374430,9093183945598996200,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                                                                                                                                                                                          Imagebase:0x7a0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                          Start time:15:40:49
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x9f0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                          Start time:15:40:50
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x6c0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                          Start time:15:40:50
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x970000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                          Start time:15:40:51
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x150000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                          Start time:15:40:52
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xe70000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                                          Start time:15:40:53
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                          Start time:15:40:53
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x230000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                          Start time:15:40:54
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xad0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                          Start time:15:40:54
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x150000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                                          Start time:15:40:54
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xd80000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                                          Start time:15:40:55
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x220000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                          Start time:15:40:55
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x680000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                                          Start time:15:40:56
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x2d0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                                          Start time:15:40:56
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x460000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                                                          Start time:15:40:56
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x520000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                                                          Start time:15:40:57
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                                                          Start time:15:40:57
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                                                          Start time:15:40:57
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xc80000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                                                          Start time:15:40:57
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x350000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                                                          Start time:15:40:58
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x310000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:39
                                                                                                                                                                                                                          Start time:15:40:59
                                                                                                                                                                                                                          Start date:02/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x920000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:8.7%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:22.5%
                                                                                                                                                                                                                            Signature Coverage:45.1%
                                                                                                                                                                                                                            Total number of Nodes:142
                                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                                            execution_graph 3748 417b81 3754 417864 3748->3754 3750 417b89 3751 417864 34 API calls 3750->3751 3776 4175c6 GlobalAlloc 3750->3776 3777 4175c7 GlobalAlloc 3750->3777 3751->3750 3755 417871 3754->3755 3756 4178e9 lstrcatW InterlockedExchangeAdd WriteConsoleW 3755->3756 3764 4179e1 3755->3764 3757 417924 7 API calls 3756->3757 3760 4179d3 3757->3760 3761 4179ac GetBoundsRect EnumDependentServicesA 3757->3761 3758 4179ef GlobalAlloc AddAtomA 3759 4179fe GetCommProperties GetTickCount GetLastError 3758->3759 3762 417a24 ZombifyActCtx 3759->3762 3763 417a2b GetConsoleAliasesW 3759->3763 3760->3764 3761->3760 3762->3763 3763->3764 3764->3758 3764->3759 3765 417a4b FoldStringA 3764->3765 3774 417a5f 3764->3774 3765->3764 3767 417acf LoadLibraryA 3779 417604 3767->3779 3772 417b32 3784 417821 3772->3784 3778 4175c7 GlobalAlloc 3774->3778 3775 417b37 3775->3750 3776->3750 3777->3750 3778->3767 3780 417643 3779->3780 3781 41764f GetModuleHandleW GetProcAddress 3780->3781 3782 417725 3780->3782 3781->3780 3783 4175e6 VirtualProtect 3782->3783 3783->3772 3791 41774a 3784->3791 3787 417844 GetConsoleAliasExesLengthA UnhandledExceptionFilter FindFirstVolumeA 3788 41785c 3787->3788 3796 4177a1 3788->3796 3790 417861 3790->3775 3792 417767 3791->3792 3793 41775f CreateJobObjectW 3791->3793 3794 417796 3792->3794 3795 41777b OpenJobObjectA BuildCommDCBW LoadLibraryA 3792->3795 3793->3792 3794->3787 3794->3788 3795->3794 3797 4177fe 3796->3797 3798 4177bb 3796->3798 3797->3790 3798->3797 3799 4177db GetComputerNameW SleepEx 3798->3799 3799->3798 3860 402e63 3861 402e67 3860->3861 3862 401918 8 API calls 3861->3862 3863 402f44 3861->3863 3862->3863 3906 401543 3907 401546 3906->3907 3908 401702 3907->3908 3909 4015e6 NtDuplicateObject 3907->3909 3909->3908 3910 401603 NtCreateSection 3909->3910 3911 401683 NtCreateSection 3910->3911 3912 401629 NtMapViewOfSection 3910->3912 3911->3908 3914 4016af 3911->3914 3912->3911 3913 40164c NtMapViewOfSection 3912->3913 3913->3911 3915 40166a 3913->3915 3914->3908 3916 4016b9 NtMapViewOfSection 3914->3916 3915->3911 3916->3908 3917 4016e0 NtMapViewOfSection 3916->3917 3917->3908 3800 278003c 3801 2780049 3800->3801 3813 2780e0f SetErrorMode SetErrorMode 3801->3813 3806 2780265 3807 27802ce VirtualProtect 3806->3807 3809 278030b 3807->3809 3808 2780439 VirtualFree 3812 27804be LoadLibraryA 3808->3812 3809->3808 3811 27808c7 3812->3811 3814 2780223 3813->3814 3815 2780d90 3814->3815 3816 2780dad 3815->3816 3817 2780dbb GetPEB 3816->3817 3818 2780238 VirtualAlloc 3816->3818 3817->3818 3818->3806 3968 401924 3969 401929 3968->3969 3970 40195e Sleep 3969->3970 3971 401979 3970->3971 3972 401538 7 API calls 3971->3972 3973 40198a 3971->3973 3972->3973 3841 402fe9 3842 403140 3841->3842 3843 403013 3841->3843 3843->3842 3844 4030ce RtlCreateUserThread NtTerminateProcess 3843->3844 3844->3842 3864 29744d8 3865 29744e8 3864->3865 3866 2974c88 3 API calls 3865->3866 3867 2974500 3866->3867 3966 278092b GetPEB 3967 2780972 3966->3967 3884 401496 3885 401447 3884->3885 3885->3884 3886 4015e6 NtDuplicateObject 3885->3886 3893 40152f 3885->3893 3887 401603 NtCreateSection 3886->3887 3886->3893 3888 401683 NtCreateSection 3887->3888 3889 401629 NtMapViewOfSection 3887->3889 3891 4016af 3888->3891 3888->3893 3889->3888 3890 40164c NtMapViewOfSection 3889->3890 3890->3888 3892 40166a 3890->3892 3891->3893 3894 4016b9 NtMapViewOfSection 3891->3894 3892->3888 3894->3893 3895 4016e0 NtMapViewOfSection 3894->3895 3895->3893 3819 402eb7 3820 402eb8 3819->3820 3822 402f44 3820->3822 3823 401918 3820->3823 3824 401929 3823->3824 3825 40195e Sleep 3824->3825 3826 401979 3825->3826 3828 40198a 3826->3828 3829 401538 3826->3829 3828->3822 3830 401539 3829->3830 3831 4015e6 NtDuplicateObject 3830->3831 3838 401702 3830->3838 3832 401603 NtCreateSection 3831->3832 3831->3838 3833 401683 NtCreateSection 3832->3833 3834 401629 NtMapViewOfSection 3832->3834 3836 4016af 3833->3836 3833->3838 3834->3833 3835 40164c NtMapViewOfSection 3834->3835 3835->3833 3837 40166a 3835->3837 3836->3838 3839 4016b9 NtMapViewOfSection 3836->3839 3837->3833 3838->3828 3839->3838 3840 4016e0 NtMapViewOfSection 3839->3840 3840->3838 3868 4014de 3869 401447 3868->3869 3870 4015e6 NtDuplicateObject 3869->3870 3877 40152f 3869->3877 3871 401603 NtCreateSection 3870->3871 3870->3877 3872 401683 NtCreateSection 3871->3872 3873 401629 NtMapViewOfSection 3871->3873 3875 4016af 3872->3875 3872->3877 3873->3872 3874 40164c NtMapViewOfSection 3873->3874 3874->3872 3876 40166a 3874->3876 3875->3877 3878 4016b9 NtMapViewOfSection 3875->3878 3876->3872 3878->3877 3879 4016e0 NtMapViewOfSection 3878->3879 3879->3877 3845 29744e8 3846 29744f7 3845->3846 3849 2974c88 3846->3849 3850 2974ca3 3849->3850 3851 2974cac CreateToolhelp32Snapshot 3850->3851 3852 2974cc8 Module32First 3850->3852 3851->3850 3851->3852 3853 2974cd7 3852->3853 3854 2974500 3852->3854 3856 2974947 3853->3856 3857 2974972 3856->3857 3858 2974983 VirtualAlloc 3857->3858 3859 29749bb 3857->3859 3858->3859

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 148 401496-4014a5 149 4014a7 148->149 150 40151b-40152d 148->150 152 4014a9-4014b5 149->152 153 4014cf 149->153 159 4014ba 150->159 162 40152f-401535 150->162 154 401471-401472 152->154 155 4014b7-4014b8 152->155 156 4014d6 153->156 160 401473-401484 154->160 158 401449 155->158 155->159 156->156 161 4014d8 156->161 166 40147b-40148e call 4011b7 158->166 167 40144b 158->167 163 401447-401456 159->163 164 4014bc-4014c3 159->164 160->166 161->150 168 40144c-401470 163->168 169 4014c5-4014c8 164->169 170 401539-401567 164->170 166->148 167->168 168->160 169->153 182 401558-401563 170->182 183 40156a-401590 call 4011b7 170->183 182->183 190 401592 183->190 191 401595-40159a 183->191 190->191 193 4015a0-4015b1 191->193 194 4018b8-4018c0 191->194 198 4018b6-4018c5 193->198 199 4015b7-4015e0 193->199 194->191 201 4018da 198->201 202 4018cb-4018d6 198->202 199->198 207 4015e6-4015fd NtDuplicateObject 199->207 201->202 204 4018dd-401915 call 4011b7 201->204 202->204 207->198 209 401603-401627 NtCreateSection 207->209 211 401683-4016a9 NtCreateSection 209->211 212 401629-40164a NtMapViewOfSection 209->212 211->198 216 4016af-4016b3 211->216 212->211 214 40164c-401668 NtMapViewOfSection 212->214 214->211 217 40166a-401680 214->217 216->198 219 4016b9-4016da NtMapViewOfSection 216->219 217->211 219->198 221 4016e0-4016fc NtMapViewOfSection 219->221 221->198 224 401702 call 401707 221->224
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                                                                                                                                                                                            Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 226 401538-401567 232 401558-401563 226->232 233 40156a-401590 call 4011b7 226->233 232->233 240 401592 233->240 241 401595-40159a 233->241 240->241 243 4015a0-4015b1 241->243 244 4018b8-4018c0 241->244 248 4018b6-4018c5 243->248 249 4015b7-4015e0 243->249 244->241 251 4018da 248->251 252 4018cb-4018d6 248->252 249->248 257 4015e6-4015fd NtDuplicateObject 249->257 251->252 254 4018dd-401915 call 4011b7 251->254 252->254 257->248 259 401603-401627 NtCreateSection 257->259 261 401683-4016a9 NtCreateSection 259->261 262 401629-40164a NtMapViewOfSection 259->262 261->248 266 4016af-4016b3 261->266 262->261 264 40164c-401668 NtMapViewOfSection 262->264 264->261 267 40166a-401680 264->267 266->248 269 4016b9-4016da NtMapViewOfSection 266->269 267->261 269->248 271 4016e0-4016fc NtMapViewOfSection 269->271 271->248 274 401702 call 401707 271->274
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                                                                                                                                                                                            Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 276 4014de-4014ed 277 401563 276->277 278 4014ef 276->278 281 40156a-401590 call 4011b7 277->281 279 401551-401552 278->279 280 4014f1-401502 278->280 279->277 283 401504-401516 280->283 284 40151d-40152d 280->284 300 401592 281->300 301 401595-40159a 281->301 286 40151b-40151c 283->286 289 4014ba 284->289 290 40152f-401535 284->290 286->284 291 401447-401456 289->291 292 4014bc-4014c3 289->292 298 40144c-401470 291->298 294 4014c5-4014c8 292->294 295 401539-401567 292->295 299 4014cf 294->299 295->281 314 401558-401560 295->314 315 401473-401484 298->315 304 4014d6 299->304 300->301 311 4015a0-4015b1 301->311 312 4018b8-4018c0 301->312 304->304 307 4014d8 304->307 307->286 322 4018b6-4018c5 311->322 323 4015b7-4015e0 311->323 312->301 314->277 319 40147b-4014a5 call 4011b7 315->319 319->286 334 4014a7 319->334 327 4018da 322->327 328 4018cb-4018d6 322->328 323->322 335 4015e6-4015fd NtDuplicateObject 323->335 327->328 330 4018dd-401915 call 4011b7 327->330 328->330 334->299 337 4014a9-4014b5 334->337 335->322 340 401603-401627 NtCreateSection 335->340 338 401471-401472 337->338 339 4014b7-4014b8 337->339 338->315 339->289 342 401449 339->342 343 401683-4016a9 NtCreateSection 340->343 344 401629-40164a NtMapViewOfSection 340->344 342->319 349 40144b 342->349 343->322 348 4016af-4016b3 343->348 344->343 346 40164c-401668 NtMapViewOfSection 344->346 346->343 350 40166a-401680 346->350 348->322 352 4016b9-4016da NtMapViewOfSection 348->352 349->298 350->343 352->322 354 4016e0-4016fc NtMapViewOfSection 352->354 354->322 357 401702 call 401707 354->357
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                                                                                                                                                                                            Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 359 401543-401544 360 401546-401567 359->360 361 4015af-4015b1 359->361 367 401558-401563 360->367 368 40156a-401590 call 4011b7 360->368 363 4018b6-4018c5 361->363 364 4015b7-4015e0 361->364 369 4018da 363->369 370 4018cb-4018d6 363->370 364->363 379 4015e6-4015fd NtDuplicateObject 364->379 367->368 388 401592 368->388 389 401595-40159a 368->389 369->370 373 4018dd-401915 call 4011b7 369->373 370->373 379->363 382 401603-401627 NtCreateSection 379->382 385 401683-4016a9 NtCreateSection 382->385 386 401629-40164a NtMapViewOfSection 382->386 385->363 392 4016af-4016b3 385->392 386->385 390 40164c-401668 NtMapViewOfSection 386->390 388->389 401 4015a0-4015ad 389->401 402 4018b8-4018c0 389->402 390->385 393 40166a-401680 390->393 392->363 395 4016b9-4016da NtMapViewOfSection 392->395 393->385 395->363 398 4016e0-4016fc NtMapViewOfSection 395->398 398->363 403 401702 call 401707 398->403 401->361 402->389
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                                                                                                                                                                                            Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 407 401565-401590 call 4011b7 412 401592 407->412 413 401595-40159a 407->413 412->413 415 4015a0-4015b1 413->415 416 4018b8-4018c0 413->416 420 4018b6-4018c5 415->420 421 4015b7-4015e0 415->421 416->413 423 4018da 420->423 424 4018cb-4018d6 420->424 421->420 429 4015e6-4015fd NtDuplicateObject 421->429 423->424 426 4018dd-401915 call 4011b7 423->426 424->426 429->420 431 401603-401627 NtCreateSection 429->431 433 401683-4016a9 NtCreateSection 431->433 434 401629-40164a NtMapViewOfSection 431->434 433->420 438 4016af-4016b3 433->438 434->433 436 40164c-401668 NtMapViewOfSection 434->436 436->433 439 40166a-401680 436->439 438->420 441 4016b9-4016da NtMapViewOfSection 438->441 439->433 441->420 443 4016e0-4016fc NtMapViewOfSection 441->443 443->420 446 401702 call 401707 443->446
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                                                                                                                                                                                            Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 448 401579-401590 call 4011b7 454 401592 448->454 455 401595-40159a 448->455 454->455 457 4015a0-4015b1 455->457 458 4018b8-4018c0 455->458 462 4018b6-4018c5 457->462 463 4015b7-4015e0 457->463 458->455 465 4018da 462->465 466 4018cb-4018d6 462->466 463->462 471 4015e6-4015fd NtDuplicateObject 463->471 465->466 468 4018dd-401915 call 4011b7 465->468 466->468 471->462 473 401603-401627 NtCreateSection 471->473 475 401683-4016a9 NtCreateSection 473->475 476 401629-40164a NtMapViewOfSection 473->476 475->462 480 4016af-4016b3 475->480 476->475 478 40164c-401668 NtMapViewOfSection 476->478 478->475 481 40166a-401680 478->481 480->462 483 4016b9-4016da NtMapViewOfSection 480->483 481->475 483->462 485 4016e0-4016fc NtMapViewOfSection 483->485 485->462 488 401702 call 401707 485->488
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                                                                                                                                                                                            Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 490 40157c-401590 call 4011b7 494 401592 490->494 495 401595-40159a 490->495 494->495 497 4015a0-4015b1 495->497 498 4018b8-4018c0 495->498 502 4018b6-4018c5 497->502 503 4015b7-4015e0 497->503 498->495 505 4018da 502->505 506 4018cb-4018d6 502->506 503->502 511 4015e6-4015fd NtDuplicateObject 503->511 505->506 508 4018dd-401915 call 4011b7 505->508 506->508 511->502 513 401603-401627 NtCreateSection 511->513 515 401683-4016a9 NtCreateSection 513->515 516 401629-40164a NtMapViewOfSection 513->516 515->502 520 4016af-4016b3 515->520 516->515 518 40164c-401668 NtMapViewOfSection 516->518 518->515 521 40166a-401680 518->521 520->502 523 4016b9-4016da NtMapViewOfSection 520->523 521->515 523->502 525 4016e0-4016fc NtMapViewOfSection 523->525 525->502 528 401702 call 401707 525->528
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                                                                                                                                                                                            Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 530 402fe9-40300d 531 403140-403145 530->531 532 403013-40302b 530->532 532->531 533 403031-403042 532->533 534 403044-40304d 533->534 535 403052-403060 534->535 535->535 536 403062-403069 535->536 537 40308b-403092 536->537 538 40306b-40308a 536->538 539 4030b4-4030b7 537->539 540 403094-4030b3 537->540 538->537 541 4030c0 539->541 542 4030b9-4030bc 539->542 540->539 541->534 544 4030c2-4030c7 541->544 542->541 543 4030be 542->543 543->544 544->531 545 4030c9-4030cc 544->545 545->531 546 4030ce-40313d RtlCreateUserThread NtTerminateProcess 545->546 546->531
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1921587553-0
                                                                                                                                                                                                                            • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                                                                                                                                                                                            Function 02974C88 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 547 2974c88-2974ca1 548 2974ca3-2974ca5 547->548 549 2974ca7 548->549 550 2974cac-2974cb8 CreateToolhelp32Snapshot 548->550 549->550 551 2974cba-2974cc0 550->551 552 2974cc8-2974cd5 Module32First 550->552 551->552 557 2974cc2-2974cc6 551->557 553 2974cd7-2974cd8 call 2974947 552->553 554 2974cde-2974ce6 552->554 558 2974cdd 553->558 557->548 557->552 558->554
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02974CB0
                                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02974CD0
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2113001680.0000000002971000.00000040.00000020.00020000.00000000.sdmp, Offset: 02971000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2971000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3833638111-0
                                                                                                                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction ID: 64dc4fd220667289a35e2d3485bd69f6c3be8c4256592d15753db2f3517e0806
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8AF090322007156FD7203BF9ED8DBAF76FCBF49625F141628E642925C1DB70E8454A71
                                                                                                                                                                                                                            Function 00417864 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 230stringmemorylibraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 004178F1
                                                                                                                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004178FF
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417916
                                                                                                                                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 0041792D
                                                                                                                                                                                                                            • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417936
                                                                                                                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 0041793C
                                                                                                                                                                                                                            • ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041797D
                                                                                                                                                                                                                            • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00417985
                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00417994
                                                                                                                                                                                                                            • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 0041799D
                                                                                                                                                                                                                            • GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004179AF
                                                                                                                                                                                                                            • EnumDependentServicesA.ADVAPI32(00000000,00000000,?,00000000,?,?), ref: 004179CD
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,00000000), ref: 004179F1
                                                                                                                                                                                                                            • AddAtomA.KERNEL32(00000000), ref: 004179F8
                                                                                                                                                                                                                            • GetCommProperties.KERNELBASE(00000000,?), ref: 00417A06
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00417A0C
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00417A12
                                                                                                                                                                                                                            • ZombifyActCtx.KERNEL32(00000000), ref: 00417A25
                                                                                                                                                                                                                            • GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 00417A34
                                                                                                                                                                                                                            • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417A50
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(0041932C), ref: 00417B22
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111267554.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Console$AtomEnumFileName$AliasesAllocApisBoundsCommCountDateDependentErrorExchangeFoldFormatsGlobalInterlockedLastLibraryLoadModuleMountOutputPointPropertiesReadRectServicesStringTickVolumeWriteZombifylstrcatlstrcpyn
                                                                                                                                                                                                                            • String ID: k`$tl_$}$
                                                                                                                                                                                                                            • API String ID: 4004065505-211918992
                                                                                                                                                                                                                            • Opcode ID: 3f471135f84e364f2a0eb20ee48f7b2cba615ed98cdf60eff0620c0a8ab0ccd3
                                                                                                                                                                                                                            • Instruction ID: 56b1ca893189157e86c5a62b41b2738574c3c764a1ae8ed8ac9d5036f9f4919d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f471135f84e364f2a0eb20ee48f7b2cba615ed98cdf60eff0620c0a8ab0ccd3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79815C71845528AFD725AB61EC88CDF7B7CFF0A355B10846AF105E2110CF389A89CFA9
                                                                                                                                                                                                                            Function 0278003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 63 278003c-2780047 64 2780049 63->64 65 278004c-2780263 call 2780a3f call 2780e0f call 2780d90 VirtualAlloc 63->65 64->65 80 278028b-2780292 65->80 81 2780265-2780289 call 2780a69 65->81 82 27802a1-27802b0 80->82 84 27802ce-27803c2 VirtualProtect call 2780cce call 2780ce7 81->84 82->84 85 27802b2-27802cc 82->85 92 27803d1-27803e0 84->92 85->82 93 2780439-27804b8 VirtualFree 92->93 94 27803e2-2780437 call 2780ce7 92->94 96 27804be-27804cd 93->96 97 27805f4-27805fe 93->97 94->92 101 27804d3-27804dd 96->101 98 278077f-2780789 97->98 99 2780604-278060d 97->99 103 278078b-27807a3 98->103 104 27807a6-27807b0 98->104 99->98 105 2780613-2780637 99->105 101->97 102 27804e3-2780505 101->102 114 2780517-2780520 102->114 115 2780507-2780515 102->115 103->104 107 278086e-27808be LoadLibraryA 104->107 108 27807b6-27807cb 104->108 109 278063e-2780648 105->109 113 27808c7-27808f9 107->113 111 27807d2-27807d5 108->111 109->98 112 278064e-278065a 109->112 116 2780824-2780833 111->116 117 27807d7-27807e0 111->117 112->98 118 2780660-278066a 112->118 119 27808fb-2780901 113->119 120 2780902-278091d 113->120 121 2780526-2780547 114->121 115->121 125 2780839-278083c 116->125 122 27807e2 117->122 123 27807e4-2780822 117->123 124 278067a-2780689 118->124 119->120 126 278054d-2780550 121->126 122->116 123->111 127 278068f-27806b2 124->127 128 2780750-278077a 124->128 125->107 129 278083e-2780847 125->129 131 27805e0-27805ef 126->131 132 2780556-278056b 126->132 133 27806ef-27806fc 127->133 134 27806b4-27806ed 127->134 128->109 135 2780849 129->135 136 278084b-278086c 129->136 131->101 137 278056d 132->137 138 278056f-278057a 132->138 139 278074b 133->139 140 27806fe-2780748 133->140 134->133 135->107 136->125 137->131 141 278059b-27805bb 138->141 142 278057c-2780599 138->142 139->124 140->139 147 27805bd-27805db 141->147 142->147 147->126
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0278024D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2112462059.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2780000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction ID: a4c1a54ca1671e26896132eb019021d556adb1bf3110f27a521c93bc695f7723
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9527A75A01229DFDB64DF58C985BACBBB1BF09304F1480D9E94DAB351DB30AA89CF14
                                                                                                                                                                                                                            Function 02780E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 560 2780e0f-2780e24 SetErrorMode * 2 561 2780e2b-2780e2c 560->561 562 2780e26 560->562 562->561
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02780223,?,?), ref: 02780E19
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02780223,?,?), ref: 02780E1E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2112462059.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2780000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction ID: f6a11d2642f841788712fd3fb4466327a69264ddbeb3d06e509809cb3da93180
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFD0123214512877D7003A94DC09BCE7B1CDF05B66F008011FB0DD9080C770954046E5
                                                                                                                                                                                                                            Function 004175E6 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 563 4175e6-417603 VirtualProtect
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualProtect.KERNELBASE(00000040,?), ref: 004175FC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111267554.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                                                                            • Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68
                                                                                                                                                                                                                            Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                                                                                                                                                                                            Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                                                                                                                                                                                            Function 02974947 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02974998
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2113001680.0000000002971000.00000040.00000020.00020000.00000000.sdmp, Offset: 02971000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2971000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction ID: 161e7ecfc7aee15fd8423bd7ba4ba708986e5df6511ef1b41a159de4bbb905a2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F113C79A40208EFDB01DF98C985E98BBF5BF08750F198094F9489B362D371EA50DF90
                                                                                                                                                                                                                            Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                                                                                                                                                                                            Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                                                                                                                                                                                            Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111251156.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F
                                                                                                                                                                                                                            Function 004175C6 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ACF), ref: 004175CF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111267554.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: 20012f5a8a8e083835d957f97b48675ea741ad0d45c9d15c983ba4c9d8ca128f
                                                                                                                                                                                                                            • Instruction ID: 7acd516925e6f7387556f95416eae3ef751249f353d81beb127662a4284496eb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20012f5a8a8e083835d957f97b48675ea741ad0d45c9d15c983ba4c9d8ca128f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2CB01274940204CFE2001FB1D84474E7E90B308202F42C436F508C1184DEB0040C5F20
                                                                                                                                                                                                                            Function 004175C7 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ACF), ref: 004175CF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111267554.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction ID: d55db0c2126c828c826ef05274ed4aaa6eabc9571a3453db39e0ff1d3a989bdf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6B01270C80204DFDB000FB0EC44B0C7FA1B30C302F40C415F50441158CFB004289F20

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 0278092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2112462059.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2780000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                                            • API String ID: 0-2784972518
                                                                                                                                                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                            • Instruction ID: e776f8af7ad6e00c27cf0fe8fa7ddbee1d7dce2944122411ae565baa21e1a392
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F314AB6940609DFDB10DF99C884AAEBBF9FF48324F15404AD841A7310D771EA49CFA4
                                                                                                                                                                                                                            Function 02974565 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2113001680.0000000002971000.00000040.00000020.00020000.00000000.sdmp, Offset: 02971000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2971000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                            • Instruction ID: 6eaf974df16ed12051bb9b296bc6f93f9d9540783941be2496609c07501319be
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B118B72340100AFDB54DF59DC90FA673EAEB88260B298165ED08CB316E675E842CB60
                                                                                                                                                                                                                            Function 02780D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2112462059.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2780000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                            • Instruction ID: 110e7a00586266de584b1cb35a597225523da46c76988485b301bfda87e2ff6a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D01F272A506008FDF21EF20C805BAB33E5FB86306F0540A4D90A97282E370A8498B90
                                                                                                                                                                                                                            Function 0041774A Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 00417761
                                                                                                                                                                                                                            • OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 0041777E
                                                                                                                                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 00417789
                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 00417790
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111267554.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2043902199-0
                                                                                                                                                                                                                            • Opcode ID: 939e56036da5756a061bbeefc0a27a55f9235df013a0563e61747818e7e4a47e
                                                                                                                                                                                                                            • Instruction ID: 4515a9c7437b9e0fe3ec3ec51993aef5b3449634b35f6b5ffc917d4fb0ad9f04
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 939e56036da5756a061bbeefc0a27a55f9235df013a0563e61747818e7e4a47e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39E03930802528EF8710AB61EC889DF7EACFF0A355B418024F40591145DB785A49CFE9
                                                                                                                                                                                                                            Function 00417604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(02705280), ref: 004176D0
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,0041D350), ref: 0041770D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111267554.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1646373207-3916222277
                                                                                                                                                                                                                            • Opcode ID: 8a5b3b99fac593708412bfbcc17a6ff225d76bbcef04d557aa141234462e004a
                                                                                                                                                                                                                            • Instruction ID: 7a25b57b0c66c5d35c6e525ff0892f9158f83bbb79032c0c2dd382ccbe736b57
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a5b3b99fac593708412bfbcc17a6ff225d76bbcef04d557aa141234462e004a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E631B1B5D883C4DCF30187A4B8497B23BA1AF16B04F48842AD954CB2E5D7FA0558C76F
                                                                                                                                                                                                                            Function 004177A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetComputerNameW.KERNEL32(?,?), ref: 004177E9
                                                                                                                                                                                                                            • SleepEx.KERNEL32(00000000,00000000), ref: 004177F3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2111267554.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_OBbrO5rwew.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ComputerNameSleep
                                                                                                                                                                                                                            • String ID: -
                                                                                                                                                                                                                            • API String ID: 3354815184-2547889144
                                                                                                                                                                                                                            • Opcode ID: 84de461c408571a36b8544ff90d20fe01b85d367c1418c9d7001a7ea02f55477
                                                                                                                                                                                                                            • Instruction ID: 4bc4e2b669ec57b8e46ef381752ae3bbf69e618f31d1c91a097168942e545554
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84de461c408571a36b8544ff90d20fe01b85d367c1418c9d7001a7ea02f55477
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8301F230804219CAD7609F649881BDABBF8EB08324F5181AAD691A6081CF346ACC8FD8

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:8.7%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:22.5%
                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                            Total number of Nodes:142
                                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                                            execution_graph 3753 27c003c 3754 27c0049 3753->3754 3766 27c0e0f SetErrorMode SetErrorMode 3754->3766 3759 27c0265 3760 27c02ce VirtualProtect 3759->3760 3762 27c030b 3760->3762 3761 27c0439 VirtualFree 3764 27c04be LoadLibraryA 3761->3764 3762->3761 3765 27c08c7 3764->3765 3767 27c0223 3766->3767 3768 27c0d90 3767->3768 3769 27c0dad 3768->3769 3770 27c0dbb GetPEB 3769->3770 3771 27c0238 VirtualAlloc 3769->3771 3770->3771 3771->3759 3772 417b81 3778 417864 3772->3778 3774 417b89 3775 417864 34 API calls 3774->3775 3800 4175c7 GlobalAlloc 3774->3800 3801 4175c6 GlobalAlloc 3774->3801 3775->3774 3779 417871 3778->3779 3780 4178e9 lstrcatW InterlockedExchangeAdd WriteConsoleW 3779->3780 3788 4179e1 3779->3788 3783 417924 7 API calls 3780->3783 3781 4179ef GlobalAlloc AddAtomA 3782 4179fe GetCommProperties GetTickCount GetLastError 3781->3782 3784 417a24 ZombifyActCtx 3782->3784 3785 417a2b GetConsoleAliasesW 3782->3785 3786 4179d3 3783->3786 3787 4179ac GetBoundsRect EnumDependentServicesA 3783->3787 3784->3785 3785->3788 3786->3788 3787->3786 3788->3781 3788->3782 3789 417a4b FoldStringA 3788->3789 3798 417a5f 3788->3798 3789->3788 3791 417acf LoadLibraryA 3803 417604 3791->3803 3796 417b32 3808 417821 3796->3808 3802 4175c7 GlobalAlloc 3798->3802 3799 417b37 3799->3774 3800->3774 3801->3774 3802->3791 3804 417643 3803->3804 3805 41764f GetModuleHandleW GetProcAddress 3804->3805 3806 417725 3804->3806 3805->3804 3807 4175e6 VirtualProtect 3806->3807 3807->3796 3815 41774a 3808->3815 3811 417844 GetConsoleAliasExesLengthA UnhandledExceptionFilter FindFirstVolumeA 3812 41785c 3811->3812 3820 4177a1 3812->3820 3814 417861 3814->3799 3816 417767 3815->3816 3817 41775f CreateJobObjectW 3815->3817 3818 417796 3816->3818 3819 41777b OpenJobObjectA BuildCommDCBW LoadLibraryA 3816->3819 3817->3816 3818->3811 3818->3812 3819->3818 3821 4177bb 3820->3821 3823 4177fe 3820->3823 3822 4177db GetComputerNameW SleepEx 3821->3822 3821->3823 3822->3821 3823->3814 3865 402e63 3867 402e67 3865->3867 3866 401918 8 API calls 3868 402f44 3866->3868 3867->3866 3867->3868 3911 401543 3913 401546 3911->3913 3912 4015e6 NtDuplicateObject 3914 401603 NtCreateSection 3912->3914 3921 401702 3912->3921 3913->3912 3913->3921 3915 401683 NtCreateSection 3914->3915 3916 401629 NtMapViewOfSection 3914->3916 3917 4016af 3915->3917 3915->3921 3916->3915 3918 40164c NtMapViewOfSection 3916->3918 3919 4016b9 NtMapViewOfSection 3917->3919 3917->3921 3918->3915 3920 40166a 3918->3920 3919->3921 3922 4016e0 NtMapViewOfSection 3919->3922 3920->3915 3922->3921 3973 401924 3974 401929 3973->3974 3975 40195e Sleep 3974->3975 3976 401979 3975->3976 3977 401538 7 API calls 3976->3977 3978 40198a 3976->3978 3977->3978 3824 2852b00 3825 2852b0f 3824->3825 3828 28532a0 3825->3828 3829 28532bb 3828->3829 3830 28532c4 CreateToolhelp32Snapshot 3829->3830 3831 28532e0 Module32First 3829->3831 3830->3829 3830->3831 3832 2852b18 3831->3832 3833 28532ef 3831->3833 3835 2852f5f 3833->3835 3836 2852f8a 3835->3836 3837 2852fd3 3836->3837 3838 2852f9b VirtualAlloc 3836->3838 3837->3837 3838->3837 3861 402fe9 3862 403140 3861->3862 3863 403013 3861->3863 3863->3862 3864 4030ce RtlCreateUserThread NtTerminateProcess 3863->3864 3864->3862 3869 2852af0 3870 2852b00 3869->3870 3871 28532a0 3 API calls 3870->3871 3872 2852b18 3871->3872 3889 401496 3890 401447 3889->3890 3890->3889 3891 4015e6 NtDuplicateObject 3890->3891 3899 40152f 3890->3899 3892 401603 NtCreateSection 3891->3892 3891->3899 3893 401683 NtCreateSection 3892->3893 3894 401629 NtMapViewOfSection 3892->3894 3895 4016af 3893->3895 3893->3899 3894->3893 3896 40164c NtMapViewOfSection 3894->3896 3897 4016b9 NtMapViewOfSection 3895->3897 3895->3899 3896->3893 3898 40166a 3896->3898 3897->3899 3900 4016e0 NtMapViewOfSection 3897->3900 3898->3893 3900->3899 3839 402eb7 3841 402eb8 3839->3841 3840 402f44 3841->3840 3843 401918 3841->3843 3844 401929 3843->3844 3845 40195e Sleep 3844->3845 3846 401979 3845->3846 3848 40198a 3846->3848 3849 401538 3846->3849 3848->3840 3850 401539 3849->3850 3851 4015e6 NtDuplicateObject 3850->3851 3859 401702 3850->3859 3852 401603 NtCreateSection 3851->3852 3851->3859 3853 401683 NtCreateSection 3852->3853 3854 401629 NtMapViewOfSection 3852->3854 3855 4016af 3853->3855 3853->3859 3854->3853 3856 40164c NtMapViewOfSection 3854->3856 3857 4016b9 NtMapViewOfSection 3855->3857 3855->3859 3856->3853 3858 40166a 3856->3858 3857->3859 3860 4016e0 NtMapViewOfSection 3857->3860 3858->3853 3859->3848 3860->3859 3971 27c092b GetPEB 3972 27c0972 3971->3972 3873 4014de 3874 401447 3873->3874 3875 4015e6 NtDuplicateObject 3874->3875 3883 40152f 3874->3883 3876 401603 NtCreateSection 3875->3876 3875->3883 3877 401683 NtCreateSection 3876->3877 3878 401629 NtMapViewOfSection 3876->3878 3879 4016af 3877->3879 3877->3883 3878->3877 3880 40164c NtMapViewOfSection 3878->3880 3881 4016b9 NtMapViewOfSection 3879->3881 3879->3883 3880->3877 3882 40166a 3880->3882 3881->3883 3884 4016e0 NtMapViewOfSection 3881->3884 3882->3877 3884->3883

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 148 401496-4014a5 149 4014a7 148->149 150 40151b-40152d 148->150 152 4014a9-4014b5 149->152 153 4014cf 149->153 158 4014ba 150->158 159 40152f-401535 150->159 156 401471-401472 152->156 157 4014b7-4014b8 152->157 155 4014d6 153->155 155->155 160 4014d8 155->160 161 401473-401484 156->161 157->158 162 401449 157->162 163 401447-401456 158->163 164 4014bc-4014c3 158->164 160->150 166 40147b-40148e call 4011b7 161->166 162->166 167 40144b 162->167 172 40144c-401470 163->172 168 4014c5-4014c8 164->168 169 401539-401567 164->169 166->148 167->172 168->153 182 401558-401563 169->182 183 40156a-401590 call 4011b7 169->183 172->161 182->183 190 401592 183->190 191 401595-40159a 183->191 190->191 193 4015a0-4015b1 191->193 194 4018b8-4018c0 191->194 198 4018b6-4018c5 193->198 199 4015b7-4015e0 193->199 194->191 202 4018da 198->202 203 4018cb-4018d6 198->203 199->198 207 4015e6-4015fd NtDuplicateObject 199->207 202->203 204 4018dd-401915 call 4011b7 202->204 203->204 207->198 209 401603-401627 NtCreateSection 207->209 211 401683-4016a9 NtCreateSection 209->211 212 401629-40164a NtMapViewOfSection 209->212 211->198 214 4016af-4016b3 211->214 212->211 215 40164c-401668 NtMapViewOfSection 212->215 214->198 217 4016b9-4016da NtMapViewOfSection 214->217 215->211 218 40166a-401680 215->218 217->198 221 4016e0-4016fc NtMapViewOfSection 217->221 218->211 221->198 223 401702 call 401707 221->223
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                                                                                                                                                                                            Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 226 401538-401567 232 401558-401563 226->232 233 40156a-401590 call 4011b7 226->233 232->233 240 401592 233->240 241 401595-40159a 233->241 240->241 243 4015a0-4015b1 241->243 244 4018b8-4018c0 241->244 248 4018b6-4018c5 243->248 249 4015b7-4015e0 243->249 244->241 252 4018da 248->252 253 4018cb-4018d6 248->253 249->248 257 4015e6-4015fd NtDuplicateObject 249->257 252->253 254 4018dd-401915 call 4011b7 252->254 253->254 257->248 259 401603-401627 NtCreateSection 257->259 261 401683-4016a9 NtCreateSection 259->261 262 401629-40164a NtMapViewOfSection 259->262 261->248 264 4016af-4016b3 261->264 262->261 265 40164c-401668 NtMapViewOfSection 262->265 264->248 267 4016b9-4016da NtMapViewOfSection 264->267 265->261 268 40166a-401680 265->268 267->248 271 4016e0-4016fc NtMapViewOfSection 267->271 268->261 271->248 273 401702 call 401707 271->273
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                                                                                                                                                                                            Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 276 4014de-4014ed 277 401563 276->277 278 4014ef 276->278 279 40156a-401590 call 4011b7 277->279 280 401551-401552 278->280 281 4014f1-401502 278->281 301 401592 279->301 302 401595-40159a 279->302 280->277 283 401504-401516 281->283 284 40151d-40152d 281->284 285 40151b-40151c 283->285 288 4014ba 284->288 289 40152f-401535 284->289 285->284 291 401447-401456 288->291 292 4014bc-4014c3 288->292 298 40144c-401470 291->298 294 4014c5-4014c8 292->294 295 401539-401567 292->295 299 4014cf 294->299 295->279 315 401558-401560 295->315 314 401473-401484 298->314 303 4014d6 299->303 301->302 310 4015a0-4015b1 302->310 311 4018b8-4018c0 302->311 303->303 307 4014d8 303->307 307->285 321 4018b6-4018c5 310->321 322 4015b7-4015e0 310->322 311->302 320 40147b-4014a5 call 4011b7 314->320 315->277 320->285 334 4014a7 320->334 328 4018da 321->328 329 4018cb-4018d6 321->329 322->321 335 4015e6-4015fd NtDuplicateObject 322->335 328->329 330 4018dd-401915 call 4011b7 328->330 329->330 334->299 337 4014a9-4014b5 334->337 335->321 338 401603-401627 NtCreateSection 335->338 340 401471-401472 337->340 341 4014b7-4014b8 337->341 342 401683-4016a9 NtCreateSection 338->342 343 401629-40164a NtMapViewOfSection 338->343 340->314 341->288 345 401449 341->345 342->321 346 4016af-4016b3 342->346 343->342 347 40164c-401668 NtMapViewOfSection 343->347 345->320 348 40144b 345->348 346->321 350 4016b9-4016da NtMapViewOfSection 346->350 347->342 351 40166a-401680 347->351 348->298 350->321 354 4016e0-4016fc NtMapViewOfSection 350->354 351->342 354->321 356 401702 call 401707 354->356
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                                                                                                                                                                                            Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 359 401543-401544 360 401546-401567 359->360 361 4015af-4015b1 359->361 370 401558-401563 360->370 371 40156a-401590 call 4011b7 360->371 363 4018b6-4018c5 361->363 364 4015b7-4015e0 361->364 368 4018da 363->368 369 4018cb-4018d6 363->369 364->363 379 4015e6-4015fd NtDuplicateObject 364->379 368->369 372 4018dd-401915 call 4011b7 368->372 369->372 370->371 389 401592 371->389 390 401595-40159a 371->390 379->363 382 401603-401627 NtCreateSection 379->382 385 401683-4016a9 NtCreateSection 382->385 386 401629-40164a NtMapViewOfSection 382->386 385->363 388 4016af-4016b3 385->388 386->385 391 40164c-401668 NtMapViewOfSection 386->391 388->363 393 4016b9-4016da NtMapViewOfSection 388->393 389->390 399 4015a0-4015ad 390->399 400 4018b8-4018c0 390->400 391->385 394 40166a-401680 391->394 393->363 397 4016e0-4016fc NtMapViewOfSection 393->397 394->385 397->363 402 401702 call 401707 397->402 399->361 400->390
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                                                                                                                                                                                            Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 407 401565-401590 call 4011b7 412 401592 407->412 413 401595-40159a 407->413 412->413 415 4015a0-4015b1 413->415 416 4018b8-4018c0 413->416 420 4018b6-4018c5 415->420 421 4015b7-4015e0 415->421 416->413 424 4018da 420->424 425 4018cb-4018d6 420->425 421->420 429 4015e6-4015fd NtDuplicateObject 421->429 424->425 426 4018dd-401915 call 4011b7 424->426 425->426 429->420 431 401603-401627 NtCreateSection 429->431 433 401683-4016a9 NtCreateSection 431->433 434 401629-40164a NtMapViewOfSection 431->434 433->420 436 4016af-4016b3 433->436 434->433 437 40164c-401668 NtMapViewOfSection 434->437 436->420 439 4016b9-4016da NtMapViewOfSection 436->439 437->433 440 40166a-401680 437->440 439->420 443 4016e0-4016fc NtMapViewOfSection 439->443 440->433 443->420 445 401702 call 401707 443->445
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                                                                                                                                                                                            Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 448 401579-401590 call 4011b7 454 401592 448->454 455 401595-40159a 448->455 454->455 457 4015a0-4015b1 455->457 458 4018b8-4018c0 455->458 462 4018b6-4018c5 457->462 463 4015b7-4015e0 457->463 458->455 466 4018da 462->466 467 4018cb-4018d6 462->467 463->462 471 4015e6-4015fd NtDuplicateObject 463->471 466->467 468 4018dd-401915 call 4011b7 466->468 467->468 471->462 473 401603-401627 NtCreateSection 471->473 475 401683-4016a9 NtCreateSection 473->475 476 401629-40164a NtMapViewOfSection 473->476 475->462 478 4016af-4016b3 475->478 476->475 479 40164c-401668 NtMapViewOfSection 476->479 478->462 481 4016b9-4016da NtMapViewOfSection 478->481 479->475 482 40166a-401680 479->482 481->462 485 4016e0-4016fc NtMapViewOfSection 481->485 482->475 485->462 487 401702 call 401707 485->487
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                                                                                                                                                                                            Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 490 40157c-401590 call 4011b7 494 401592 490->494 495 401595-40159a 490->495 494->495 497 4015a0-4015b1 495->497 498 4018b8-4018c0 495->498 502 4018b6-4018c5 497->502 503 4015b7-4015e0 497->503 498->495 506 4018da 502->506 507 4018cb-4018d6 502->507 503->502 511 4015e6-4015fd NtDuplicateObject 503->511 506->507 508 4018dd-401915 call 4011b7 506->508 507->508 511->502 513 401603-401627 NtCreateSection 511->513 515 401683-4016a9 NtCreateSection 513->515 516 401629-40164a NtMapViewOfSection 513->516 515->502 518 4016af-4016b3 515->518 516->515 519 40164c-401668 NtMapViewOfSection 516->519 518->502 521 4016b9-4016da NtMapViewOfSection 518->521 519->515 522 40166a-401680 519->522 521->502 525 4016e0-4016fc NtMapViewOfSection 521->525 522->515 525->502 527 401702 call 401707 525->527
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                                                                                                                                                                                            Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 530 402fe9-40300d 531 403140-403145 530->531 532 403013-40302b 530->532 532->531 533 403031-403042 532->533 534 403044-40304d 533->534 535 403052-403060 534->535 535->535 536 403062-403069 535->536 537 40308b-403092 536->537 538 40306b-40308a 536->538 539 4030b4-4030b7 537->539 540 403094-4030b3 537->540 538->537 541 4030c0 539->541 542 4030b9-4030bc 539->542 540->539 541->534 544 4030c2-4030c7 541->544 542->541 543 4030be 542->543 543->544 544->531 545 4030c9-4030cc 544->545 545->531 546 4030ce-40313d RtlCreateUserThread NtTerminateProcess 545->546 546->531
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1921587553-0
                                                                                                                                                                                                                            • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                                                                                                                                                                                            Function 00417864 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 230stringmemorylibraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 004178F1
                                                                                                                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004178FF
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417916
                                                                                                                                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 0041792D
                                                                                                                                                                                                                            • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417936
                                                                                                                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 0041793C
                                                                                                                                                                                                                            • ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041797D
                                                                                                                                                                                                                            • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00417985
                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00417994
                                                                                                                                                                                                                            • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 0041799D
                                                                                                                                                                                                                            • GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004179AF
                                                                                                                                                                                                                            • EnumDependentServicesA.ADVAPI32(00000000,00000000,?,00000000,?,?), ref: 004179CD
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,00000000), ref: 004179F1
                                                                                                                                                                                                                            • AddAtomA.KERNEL32(00000000), ref: 004179F8
                                                                                                                                                                                                                            • GetCommProperties.KERNELBASE(00000000,?), ref: 00417A06
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00417A0C
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00417A12
                                                                                                                                                                                                                            • ZombifyActCtx.KERNEL32(00000000), ref: 00417A25
                                                                                                                                                                                                                            • GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 00417A34
                                                                                                                                                                                                                            • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417A50
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(0041932C), ref: 00417B22
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409841873.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Console$AtomEnumFileName$AliasesAllocApisBoundsCommCountDateDependentErrorExchangeFoldFormatsGlobalInterlockedLastLibraryLoadModuleMountOutputPointPropertiesReadRectServicesStringTickVolumeWriteZombifylstrcatlstrcpyn
                                                                                                                                                                                                                            • String ID: k`$tl_$}$
                                                                                                                                                                                                                            • API String ID: 4004065505-211918992
                                                                                                                                                                                                                            • Opcode ID: 3f471135f84e364f2a0eb20ee48f7b2cba615ed98cdf60eff0620c0a8ab0ccd3
                                                                                                                                                                                                                            • Instruction ID: 56b1ca893189157e86c5a62b41b2738574c3c764a1ae8ed8ac9d5036f9f4919d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f471135f84e364f2a0eb20ee48f7b2cba615ed98cdf60eff0620c0a8ab0ccd3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79815C71845528AFD725AB61EC88CDF7B7CFF0A355B10846AF105E2110CF389A89CFA9
                                                                                                                                                                                                                            Function 027C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 63 27c003c-27c0047 64 27c004c-27c0263 call 27c0a3f call 27c0e0f call 27c0d90 VirtualAlloc 63->64 65 27c0049 63->65 80 27c028b-27c0292 64->80 81 27c0265-27c0289 call 27c0a69 64->81 65->64 83 27c02a1-27c02b0 80->83 85 27c02ce-27c03c2 VirtualProtect call 27c0cce call 27c0ce7 81->85 83->85 86 27c02b2-27c02cc 83->86 92 27c03d1-27c03e0 85->92 86->83 93 27c0439-27c04b8 VirtualFree 92->93 94 27c03e2-27c0437 call 27c0ce7 92->94 96 27c04be-27c04cd 93->96 97 27c05f4-27c05fe 93->97 94->92 99 27c04d3-27c04dd 96->99 100 27c077f-27c0789 97->100 101 27c0604-27c060d 97->101 99->97 103 27c04e3-27c0505 99->103 104 27c078b-27c07a3 100->104 105 27c07a6-27c07b0 100->105 101->100 106 27c0613-27c0637 101->106 114 27c0517-27c0520 103->114 115 27c0507-27c0515 103->115 104->105 107 27c086e-27c08be LoadLibraryA 105->107 108 27c07b6-27c07cb 105->108 109 27c063e-27c0648 106->109 113 27c08c7-27c08f9 107->113 111 27c07d2-27c07d5 108->111 109->100 112 27c064e-27c065a 109->112 116 27c0824-27c0833 111->116 117 27c07d7-27c07e0 111->117 112->100 118 27c0660-27c066a 112->118 119 27c08fb-27c0901 113->119 120 27c0902-27c091d 113->120 121 27c0526-27c0547 114->121 115->121 125 27c0839-27c083c 116->125 122 27c07e4-27c0822 117->122 123 27c07e2 117->123 124 27c067a-27c0689 118->124 119->120 126 27c054d-27c0550 121->126 122->111 123->116 127 27c068f-27c06b2 124->127 128 27c0750-27c077a 124->128 125->107 129 27c083e-27c0847 125->129 135 27c0556-27c056b 126->135 136 27c05e0-27c05ef 126->136 130 27c06ef-27c06fc 127->130 131 27c06b4-27c06ed 127->131 128->109 132 27c0849 129->132 133 27c084b-27c086c 129->133 137 27c06fe-27c0748 130->137 138 27c074b 130->138 131->130 132->107 133->125 139 27c056d 135->139 140 27c056f-27c057a 135->140 136->99 137->138 138->124 139->136 143 27c057c-27c0599 140->143 144 27c059b-27c05bb 140->144 147 27c05bd-27c05db 143->147 144->147 147->126
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 027C024D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2411670729.00000000027C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_27c0000_deetubv.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction ID: c9d470dc7c7957795abc189c36a973c1b69335adeea84ba227bcbd3d3dfc835f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD526A74A01229DFDB64CF68C985BACBBB1BF09304F1480E9E54DAB351DB30AA95CF54
                                                                                                                                                                                                                            Function 028532A0 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 547 28532a0-28532b9 548 28532bb-28532bd 547->548 549 28532c4-28532d0 CreateToolhelp32Snapshot 548->549 550 28532bf 548->550 551 28532e0-28532ed Module32First 549->551 552 28532d2-28532d8 549->552 550->549 553 28532f6-28532fe 551->553 554 28532ef-28532f0 call 2852f5f 551->554 552->551 557 28532da-28532de 552->557 558 28532f5 554->558 557->548 557->551 558->553
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 028532C8
                                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 028532E8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2411929335.0000000002850000.00000040.00000020.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_2850000_deetubv.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3833638111-0
                                                                                                                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction ID: 6aef272da479ae0c242ad953e006e45da4e5c09695a4219d3266e02ceaa05faa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0F63D200B207FD7203BF9A88DB6F76E8AF497A6F104168EA4AD14C0CB70E8054A61
                                                                                                                                                                                                                            Function 027C0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 560 27c0e0f-27c0e24 SetErrorMode * 2 561 27c0e2b-27c0e2c 560->561 562 27c0e26 560->562 562->561
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,027C0223,?,?), ref: 027C0E19
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,027C0223,?,?), ref: 027C0E1E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2411670729.00000000027C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_27c0000_deetubv.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction ID: c92a6df4c783e8d54d720dca2f8c92a23e09f1abe3de6e1079c64e047bab2a30
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EED01231145128B7D7003AA4DC09BCD7B1CDF05B66F108015FB0DD9080C770954046E5
                                                                                                                                                                                                                            Function 004175E6 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 563 4175e6-417603 VirtualProtect
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualProtect.KERNELBASE(00000040,?), ref: 004175FC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409841873.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                                                                            • Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68
                                                                                                                                                                                                                            Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                                                                                                                                                                                            Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                                                                                                                                                                                            Function 02852F5F Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02852FB0
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2411929335.0000000002850000.00000040.00000020.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_2850000_deetubv.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction ID: e42071dc1bfccdd7b8fd2d722f53a925c4016572d0183e9d66d8f6a47f4ca0f2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA113979A00208EFDB01DF98C985E98BBF5AF08351F0580A4F9489B361D771EA90DF80
                                                                                                                                                                                                                            Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                                                                                                                                                                                            Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                                                                                                                                                                                            Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409824089.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F
                                                                                                                                                                                                                            Function 004175C6 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ACF), ref: 004175CF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409841873.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: 20012f5a8a8e083835d957f97b48675ea741ad0d45c9d15c983ba4c9d8ca128f
                                                                                                                                                                                                                            • Instruction ID: 7acd516925e6f7387556f95416eae3ef751249f353d81beb127662a4284496eb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20012f5a8a8e083835d957f97b48675ea741ad0d45c9d15c983ba4c9d8ca128f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2CB01274940204CFE2001FB1D84474E7E90B308202F42C436F508C1184DEB0040C5F20
                                                                                                                                                                                                                            Function 004175C7 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ACF), ref: 004175CF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409841873.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction ID: d55db0c2126c828c826ef05274ed4aaa6eabc9571a3453db39e0ff1d3a989bdf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6B01270C80204DFDB000FB0EC44B0C7FA1B30C302F40C415F50441158CFB004289F20

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 0041774A Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 00417761
                                                                                                                                                                                                                            • OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 0041777E
                                                                                                                                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 00417789
                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 00417790
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409841873.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2043902199-0
                                                                                                                                                                                                                            • Opcode ID: 939e56036da5756a061bbeefc0a27a55f9235df013a0563e61747818e7e4a47e
                                                                                                                                                                                                                            • Instruction ID: 4515a9c7437b9e0fe3ec3ec51993aef5b3449634b35f6b5ffc917d4fb0ad9f04
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 939e56036da5756a061bbeefc0a27a55f9235df013a0563e61747818e7e4a47e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39E03930802528EF8710AB61EC889DF7EACFF0A355B418024F40591145DB785A49CFE9
                                                                                                                                                                                                                            Function 00417604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(02705280), ref: 004176D0
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,0041D350), ref: 0041770D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409841873.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1646373207-3916222277
                                                                                                                                                                                                                            • Opcode ID: 8a5b3b99fac593708412bfbcc17a6ff225d76bbcef04d557aa141234462e004a
                                                                                                                                                                                                                            • Instruction ID: 7a25b57b0c66c5d35c6e525ff0892f9158f83bbb79032c0c2dd382ccbe736b57
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a5b3b99fac593708412bfbcc17a6ff225d76bbcef04d557aa141234462e004a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E631B1B5D883C4DCF30187A4B8497B23BA1AF16B04F48842AD954CB2E5D7FA0558C76F
                                                                                                                                                                                                                            Function 004177A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetComputerNameW.KERNEL32(?,?), ref: 004177E9
                                                                                                                                                                                                                            • SleepEx.KERNEL32(00000000,00000000), ref: 004177F3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2409841873.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_deetubv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ComputerNameSleep
                                                                                                                                                                                                                            • String ID: -
                                                                                                                                                                                                                            • API String ID: 3354815184-2547889144
                                                                                                                                                                                                                            • Opcode ID: 84de461c408571a36b8544ff90d20fe01b85d367c1418c9d7001a7ea02f55477
                                                                                                                                                                                                                            • Instruction ID: 4bc4e2b669ec57b8e46ef381752ae3bbf69e618f31d1c91a097168942e545554
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84de461c408571a36b8544ff90d20fe01b85d367c1418c9d7001a7ea02f55477
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8301F230804219CAD7609F649881BDABBF8EB08324F5181AAD691A6081CF346ACC8FD8

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:18.2%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                            Signature Coverage:19.5%
                                                                                                                                                                                                                            Total number of Nodes:1453
                                                                                                                                                                                                                            Total number of Limit Nodes:32
                                                                                                                                                                                                                            execution_graph 4021 401ec5 4022 402c17 17 API calls 4021->4022 4023 401ecb 4022->4023 4024 402c17 17 API calls 4023->4024 4025 401ed7 4024->4025 4026 401ee3 ShowWindow 4025->4026 4027 401eee EnableWindow 4025->4027 4028 402ac5 4026->4028 4027->4028 3366 401746 3367 402c39 17 API calls 3366->3367 3368 40174d 3367->3368 3372 405f4a 3368->3372 3370 401754 3371 405f4a 2 API calls 3370->3371 3371->3370 3373 405f55 GetTickCount GetTempFileNameA 3372->3373 3374 405f82 3373->3374 3375 405f86 3373->3375 3374->3373 3374->3375 3375->3370 4029 401947 4030 402c39 17 API calls 4029->4030 4031 40194e lstrlenA 4030->4031 4032 402628 4031->4032 4036 401fcb 4037 402c39 17 API calls 4036->4037 4038 401fd2 4037->4038 4039 4066ff 2 API calls 4038->4039 4040 401fd8 4039->4040 4042 401fea 4040->4042 4043 4062e6 wsprintfA 4040->4043 4043->4042 3385 4034cc SetErrorMode GetVersionExA 3386 40351e GetVersionExA 3385->3386 3388 40355d 3385->3388 3387 40353a 3386->3387 3386->3388 3387->3388 3389 4035e1 3388->3389 3390 406794 5 API calls 3388->3390 3477 406726 GetSystemDirectoryA 3389->3477 3390->3389 3392 4035f7 lstrlenA 3392->3389 3393 403607 3392->3393 3480 406794 GetModuleHandleA 3393->3480 3396 406794 5 API calls 3397 403615 3396->3397 3398 406794 5 API calls 3397->3398 3399 403621 #17 OleInitialize SHGetFileInfoA 3398->3399 3486 406388 lstrcpynA 3399->3486 3402 40366f GetCommandLineA 3487 406388 lstrcpynA 3402->3487 3404 403681 3405 405d45 CharNextA 3404->3405 3406 4036a8 CharNextA 3405->3406 3412 4036b7 3406->3412 3407 40377d 3408 403791 GetTempPathA 3407->3408 3488 40349b 3408->3488 3410 4037a9 3413 403803 DeleteFileA 3410->3413 3414 4037ad GetWindowsDirectoryA lstrcatA 3410->3414 3411 405d45 CharNextA 3411->3412 3412->3407 3412->3411 3418 40377f 3412->3418 3498 402f5c GetTickCount GetModuleFileNameA 3413->3498 3415 40349b 12 API calls 3414->3415 3417 4037c9 3415->3417 3417->3413 3420 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3417->3420 3585 406388 lstrcpynA 3418->3585 3419 403816 3421 4038ae ExitProcess OleUninitialize 3419->3421 3424 40389b 3419->3424 3431 405d45 CharNextA 3419->3431 3423 40349b 12 API calls 3420->3423 3425 4038c5 3421->3425 3426 4039e8 3421->3426 3429 4037fb 3423->3429 3528 403b6e 3424->3528 3602 405a9e 3425->3602 3427 4039f0 GetCurrentProcess OpenProcessToken 3426->3427 3428 403a66 ExitProcess 3426->3428 3433 403a36 3427->3433 3434 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3427->3434 3429->3413 3429->3421 3436 403830 3431->3436 3439 406794 5 API calls 3433->3439 3434->3433 3440 403875 3436->3440 3441 4038da 3436->3441 3442 403a3d 3439->3442 3586 405e08 3440->3586 3606 405a09 3441->3606 3445 403a52 ExitWindowsEx 3442->3445 3448 403a5f 3442->3448 3445->3428 3445->3448 3626 40140b 3448->3626 3449 4038f0 lstrcatA 3450 4038fb lstrcatA lstrcmpiA 3449->3450 3450->3421 3452 403917 3450->3452 3454 403923 3452->3454 3455 40391c 3452->3455 3614 4059ec CreateDirectoryA 3454->3614 3609 40596f CreateDirectoryA 3455->3609 3456 403890 3601 406388 lstrcpynA 3456->3601 3461 403928 SetCurrentDirectoryA 3462 403943 3461->3462 3463 403938 3461->3463 3618 406388 lstrcpynA 3462->3618 3617 406388 lstrcpynA 3463->3617 3466 40641b 17 API calls 3467 403985 DeleteFileA 3466->3467 3468 403993 CopyFileA 3467->3468 3474 403950 3467->3474 3468->3474 3469 4039dc 3471 406161 36 API calls 3469->3471 3472 4039e3 3471->3472 3472->3421 3473 40641b 17 API calls 3473->3474 3474->3466 3474->3469 3474->3473 3476 4039c7 CloseHandle 3474->3476 3619 406161 MoveFileExA 3474->3619 3623 405a21 CreateProcessA 3474->3623 3476->3474 3478 406748 wsprintfA LoadLibraryExA 3477->3478 3478->3392 3481 4067b0 3480->3481 3482 4067ba GetProcAddress 3480->3482 3483 406726 3 API calls 3481->3483 3484 40360e 3482->3484 3485 4067b6 3483->3485 3484->3396 3485->3482 3485->3484 3486->3402 3487->3404 3489 406666 5 API calls 3488->3489 3491 4034a7 3489->3491 3490 4034b1 3490->3410 3491->3490 3629 405d1a lstrlenA CharPrevA 3491->3629 3494 4059ec 2 API calls 3495 4034bf 3494->3495 3496 405f4a 2 API calls 3495->3496 3497 4034ca 3496->3497 3497->3410 3632 405f1b GetFileAttributesA CreateFileA 3498->3632 3500 402f9f 3527 402fac 3500->3527 3633 406388 lstrcpynA 3500->3633 3502 402fc2 3634 405d61 lstrlenA 3502->3634 3506 402fd3 GetFileSize 3507 4030cd 3506->3507 3526 402fea 3506->3526 3639 402ebd 3507->3639 3511 403112 GlobalAlloc 3513 403129 3511->3513 3512 40316a 3516 402ebd 32 API calls 3512->3516 3518 405f4a 2 API calls 3513->3518 3515 4030f3 3517 40346e ReadFile 3515->3517 3516->3527 3519 4030fe 3517->3519 3521 40313a CreateFileA 3518->3521 3519->3511 3519->3527 3520 402ebd 32 API calls 3520->3526 3522 403174 3521->3522 3521->3527 3654 403484 SetFilePointer 3522->3654 3524 403182 3655 4031fd 3524->3655 3526->3507 3526->3512 3526->3520 3526->3527 3670 40346e 3526->3670 3527->3419 3529 406794 5 API calls 3528->3529 3530 403b82 3529->3530 3531 403b88 3530->3531 3532 403b9a 3530->3532 3714 4062e6 wsprintfA 3531->3714 3533 40626f 3 API calls 3532->3533 3534 403bc5 3533->3534 3535 403be3 lstrcatA 3534->3535 3538 40626f 3 API calls 3534->3538 3537 403b98 3535->3537 3706 403e33 3537->3706 3538->3535 3541 405e08 18 API calls 3542 403c15 3541->3542 3543 403c9e 3542->3543 3545 40626f 3 API calls 3542->3545 3544 405e08 18 API calls 3543->3544 3547 403ca4 3544->3547 3548 403c41 3545->3548 3546 403cb4 LoadImageA 3550 403d5a 3546->3550 3551 403cdb RegisterClassA 3546->3551 3547->3546 3549 40641b 17 API calls 3547->3549 3548->3543 3552 403c5d lstrlenA 3548->3552 3555 405d45 CharNextA 3548->3555 3549->3546 3554 40140b 2 API calls 3550->3554 3553 403d11 SystemParametersInfoA CreateWindowExA 3551->3553 3584 4038ab 3551->3584 3556 403c91 3552->3556 3557 403c6b lstrcmpiA 3552->3557 3553->3550 3558 403d60 3554->3558 3559 403c5b 3555->3559 3561 405d1a 3 API calls 3556->3561 3557->3556 3560 403c7b GetFileAttributesA 3557->3560 3563 403e33 18 API calls 3558->3563 3558->3584 3559->3552 3562 403c87 3560->3562 3564 403c97 3561->3564 3562->3556 3565 405d61 2 API calls 3562->3565 3566 403d71 3563->3566 3715 406388 lstrcpynA 3564->3715 3565->3556 3568 403e00 3566->3568 3569 403d7d ShowWindow 3566->3569 3716 40557b OleInitialize 3568->3716 3571 406726 3 API calls 3569->3571 3573 403d95 3571->3573 3572 403e06 3575 403e22 3572->3575 3576 403e0a 3572->3576 3574 403da3 GetClassInfoA 3573->3574 3577 406726 3 API calls 3573->3577 3579 403db7 GetClassInfoA RegisterClassA 3574->3579 3580 403dcd DialogBoxParamA 3574->3580 3578 40140b 2 API calls 3575->3578 3582 40140b 2 API calls 3576->3582 3576->3584 3577->3574 3578->3584 3579->3580 3581 40140b 2 API calls 3580->3581 3583 403df5 3581->3583 3582->3584 3583->3584 3584->3421 3585->3408 3734 406388 lstrcpynA 3586->3734 3588 405e19 3735 405db3 CharNextA CharNextA 3588->3735 3591 403881 3591->3421 3600 406388 lstrcpynA 3591->3600 3592 406666 5 API calls 3598 405e2f 3592->3598 3593 405e5a lstrlenA 3594 405e65 3593->3594 3593->3598 3595 405d1a 3 API calls 3594->3595 3597 405e6a GetFileAttributesA 3595->3597 3597->3591 3598->3591 3598->3593 3599 405d61 2 API calls 3598->3599 3741 4066ff FindFirstFileA 3598->3741 3599->3593 3600->3456 3601->3424 3603 405ab3 3602->3603 3604 4038d2 ExitProcess 3603->3604 3605 405ac7 MessageBoxIndirectA 3603->3605 3605->3604 3607 406794 5 API calls 3606->3607 3608 4038df lstrcatA 3607->3608 3608->3449 3608->3450 3610 4059c0 GetLastError 3609->3610 3611 403921 3609->3611 3610->3611 3612 4059cf SetFileSecurityA 3610->3612 3611->3461 3612->3611 3613 4059e5 GetLastError 3612->3613 3613->3611 3615 405a00 GetLastError 3614->3615 3616 4059fc 3614->3616 3615->3616 3616->3461 3617->3462 3618->3474 3620 406182 3619->3620 3621 406175 3619->3621 3620->3474 3744 405ff1 3621->3744 3624 405a60 3623->3624 3625 405a54 CloseHandle 3623->3625 3624->3474 3625->3624 3627 401389 2 API calls 3626->3627 3628 401420 3627->3628 3628->3428 3630 405d34 lstrcatA 3629->3630 3631 4034b9 3629->3631 3630->3631 3631->3494 3632->3500 3633->3502 3635 405d6e 3634->3635 3636 405d73 CharPrevA 3635->3636 3637 402fc8 3635->3637 3636->3635 3636->3637 3638 406388 lstrcpynA 3637->3638 3638->3506 3640 402ee3 3639->3640 3641 402ecb 3639->3641 3644 402ef3 GetTickCount 3640->3644 3645 402eeb 3640->3645 3642 402ed4 DestroyWindow 3641->3642 3643 402edb 3641->3643 3642->3643 3643->3511 3643->3527 3673 403484 SetFilePointer 3643->3673 3644->3643 3647 402f01 3644->3647 3674 4067d0 3645->3674 3648 402f36 CreateDialogParamA ShowWindow 3647->3648 3649 402f09 3647->3649 3648->3643 3649->3643 3678 402ea1 3649->3678 3651 402f17 wsprintfA 3652 4054a9 24 API calls 3651->3652 3653 402f34 3652->3653 3653->3643 3654->3524 3656 403228 3655->3656 3657 40320c SetFilePointer 3655->3657 3681 403305 GetTickCount 3656->3681 3657->3656 3662 403305 42 API calls 3663 40325f 3662->3663 3664 4032c5 3663->3664 3665 4032cb ReadFile 3663->3665 3666 40326e 3663->3666 3664->3527 3665->3664 3666->3664 3668 405f93 ReadFile 3666->3668 3696 405fc2 WriteFile 3666->3696 3668->3666 3671 405f93 ReadFile 3670->3671 3672 403481 3671->3672 3672->3526 3673->3515 3675 4067ed PeekMessageA 3674->3675 3676 4067e3 DispatchMessageA 3675->3676 3677 4067fd 3675->3677 3676->3675 3677->3643 3679 402eb0 3678->3679 3680 402eb2 MulDiv 3678->3680 3679->3680 3680->3651 3682 403333 3681->3682 3683 40345d 3681->3683 3698 403484 SetFilePointer 3682->3698 3684 402ebd 32 API calls 3683->3684 3690 40322f 3684->3690 3686 40333e SetFilePointer 3691 403363 3686->3691 3687 40346e ReadFile 3687->3691 3689 402ebd 32 API calls 3689->3691 3690->3664 3694 405f93 ReadFile 3690->3694 3691->3687 3691->3689 3691->3690 3692 405fc2 WriteFile 3691->3692 3693 40343e SetFilePointer 3691->3693 3699 4068d9 3691->3699 3692->3691 3693->3683 3695 403248 3694->3695 3695->3662 3695->3664 3697 405fe0 3696->3697 3697->3666 3698->3686 3700 4068fe 3699->3700 3705 406906 3699->3705 3700->3691 3701 406996 GlobalAlloc 3701->3700 3701->3705 3702 40698d GlobalFree 3702->3701 3703 406a04 GlobalFree 3704 406a0d GlobalAlloc 3703->3704 3704->3700 3704->3705 3705->3700 3705->3701 3705->3702 3705->3703 3705->3704 3707 403e47 3706->3707 3723 4062e6 wsprintfA 3707->3723 3709 403eb8 3724 403eec 3709->3724 3711 403bf3 3711->3541 3712 403ebd 3712->3711 3713 40641b 17 API calls 3712->3713 3713->3712 3714->3537 3715->3543 3727 404451 3716->3727 3718 40559e 3722 4055c5 3718->3722 3730 401389 3718->3730 3719 404451 SendMessageA 3720 4055d7 OleUninitialize 3719->3720 3720->3572 3722->3719 3723->3709 3725 40641b 17 API calls 3724->3725 3726 403efa SetWindowTextA 3725->3726 3726->3712 3728 404469 3727->3728 3729 40445a SendMessageA 3727->3729 3728->3718 3729->3728 3732 401390 3730->3732 3731 4013fe 3731->3718 3732->3731 3733 4013cb MulDiv SendMessageA 3732->3733 3733->3732 3734->3588 3736 405dde 3735->3736 3737 405dce 3735->3737 3739 405d45 CharNextA 3736->3739 3740 405dfe 3736->3740 3737->3736 3738 405dd9 CharNextA 3737->3738 3738->3740 3739->3736 3740->3591 3740->3592 3742 406715 FindClose 3741->3742 3743 406720 3741->3743 3742->3743 3743->3598 3745 406017 3744->3745 3746 40603d GetShortPathNameA 3744->3746 3771 405f1b GetFileAttributesA CreateFileA 3745->3771 3748 406052 3746->3748 3749 40615c 3746->3749 3748->3749 3751 40605a wsprintfA 3748->3751 3749->3620 3750 406021 CloseHandle GetShortPathNameA 3750->3749 3753 406035 3750->3753 3752 40641b 17 API calls 3751->3752 3754 406082 3752->3754 3753->3746 3753->3749 3772 405f1b GetFileAttributesA CreateFileA 3754->3772 3756 40608f 3756->3749 3757 40609e GetFileSize GlobalAlloc 3756->3757 3758 4060c0 3757->3758 3759 406155 CloseHandle 3757->3759 3760 405f93 ReadFile 3758->3760 3759->3749 3761 4060c8 3760->3761 3761->3759 3773 405e80 lstrlenA 3761->3773 3764 4060f3 3766 405e80 4 API calls 3764->3766 3765 4060df lstrcpyA 3767 406101 3765->3767 3766->3767 3768 406138 SetFilePointer 3767->3768 3769 405fc2 WriteFile 3768->3769 3770 40614e GlobalFree 3769->3770 3770->3759 3771->3750 3772->3756 3774 405ec1 lstrlenA 3773->3774 3775 405ec9 3774->3775 3776 405e9a lstrcmpiA 3774->3776 3775->3764 3775->3765 3776->3775 3777 405eb8 CharNextA 3776->3777 3777->3774 4044 404850 4045 404860 4044->4045 4046 404886 4044->4046 4051 404405 4045->4051 4054 40446c 4046->4054 4049 40486d SetDlgItemTextA 4049->4046 4052 40641b 17 API calls 4051->4052 4053 404410 SetDlgItemTextA 4052->4053 4053->4049 4055 40452f 4054->4055 4056 404484 GetWindowLongA 4054->4056 4056->4055 4057 404499 4056->4057 4057->4055 4058 4044c6 GetSysColor 4057->4058 4059 4044c9 4057->4059 4058->4059 4060 4044d9 SetBkMode 4059->4060 4061 4044cf SetTextColor 4059->4061 4062 4044f1 GetSysColor 4060->4062 4063 4044f7 4060->4063 4061->4060 4062->4063 4064 4044fe SetBkColor 4063->4064 4065 404508 4063->4065 4064->4065 4065->4055 4066 404522 CreateBrushIndirect 4065->4066 4067 40451b DeleteObject 4065->4067 4066->4055 4067->4066 4075 4014d6 4076 402c17 17 API calls 4075->4076 4077 4014dc Sleep 4076->4077 4079 402ac5 4077->4079 3873 401759 3874 402c39 17 API calls 3873->3874 3875 401760 3874->3875 3876 401786 3875->3876 3877 40177e 3875->3877 3913 406388 lstrcpynA 3876->3913 3912 406388 lstrcpynA 3877->3912 3880 401784 3884 406666 5 API calls 3880->3884 3881 401791 3882 405d1a 3 API calls 3881->3882 3883 401797 lstrcatA 3882->3883 3883->3880 3899 4017a3 3884->3899 3885 4066ff 2 API calls 3885->3899 3886 405ef6 2 API calls 3886->3899 3888 4017ba CompareFileTime 3888->3899 3889 40187e 3890 4054a9 24 API calls 3889->3890 3892 401888 3890->3892 3891 401855 3893 4054a9 24 API calls 3891->3893 3900 40186a 3891->3900 3894 4031fd 44 API calls 3892->3894 3893->3900 3895 40189b 3894->3895 3896 4018af SetFileTime 3895->3896 3898 4018c1 FindCloseChangeNotification 3895->3898 3896->3898 3897 40641b 17 API calls 3897->3899 3898->3900 3901 4018d2 3898->3901 3899->3885 3899->3886 3899->3888 3899->3889 3899->3891 3899->3897 3902 406388 lstrcpynA 3899->3902 3907 405a9e MessageBoxIndirectA 3899->3907 3911 405f1b GetFileAttributesA CreateFileA 3899->3911 3903 4018d7 3901->3903 3904 4018ea 3901->3904 3902->3899 3905 40641b 17 API calls 3903->3905 3906 40641b 17 API calls 3904->3906 3908 4018df lstrcatA 3905->3908 3909 4018f2 3906->3909 3907->3899 3908->3909 3910 405a9e MessageBoxIndirectA 3909->3910 3910->3900 3911->3899 3912->3880 3913->3881 4080 401659 4081 402c39 17 API calls 4080->4081 4082 40165f 4081->4082 4083 4066ff 2 API calls 4082->4083 4084 401665 4083->4084 4085 401959 4086 402c17 17 API calls 4085->4086 4087 401960 4086->4087 4088 402c17 17 API calls 4087->4088 4089 40196d 4088->4089 4090 402c39 17 API calls 4089->4090 4091 401984 lstrlenA 4090->4091 4093 401994 4091->4093 4092 4019d4 4093->4092 4097 406388 lstrcpynA 4093->4097 4095 4019c4 4095->4092 4096 4019c9 lstrlenA 4095->4096 4096->4092 4097->4095 4098 401a5e 4099 402c17 17 API calls 4098->4099 4100 401a67 4099->4100 4101 402c17 17 API calls 4100->4101 4102 401a0e 4101->4102 4103 401563 4104 402a42 4103->4104 4107 4062e6 wsprintfA 4104->4107 4106 402a47 4107->4106 4108 401b63 4109 402c39 17 API calls 4108->4109 4110 401b6a 4109->4110 4111 402c17 17 API calls 4110->4111 4112 401b73 wsprintfA 4111->4112 4113 402ac5 4112->4113 4114 100013a4 4121 10001426 4114->4121 4122 100013d0 4121->4122 4124 1000142f 4121->4124 4126 100010d0 GetVersionExA 4122->4126 4123 1000145f GlobalFree 4123->4122 4124->4122 4124->4123 4125 1000144b lstrcpynA 4124->4125 4125->4123 4127 10001106 4126->4127 4128 100010fc 4126->4128 4129 10001122 LoadLibraryW 4127->4129 4130 1000110e 4127->4130 4152 100014ba wsprintfA 4128->4152 4132 100011a5 4129->4132 4133 1000113b GetProcAddress 4129->4133 4130->4128 4131 10001225 LoadLibraryA 4130->4131 4131->4128 4136 1000123d GetProcAddress GetProcAddress GetProcAddress 4131->4136 4132->4128 4141 100011c1 WideCharToMultiByte lstrcmpiA 4132->4141 4143 10001217 LocalFree 4132->4143 4145 100011f7 4132->4145 4134 1000118e 4133->4134 4135 1000114e LocalAlloc 4133->4135 4138 1000119a FreeLibrary 4134->4138 4137 10001189 4135->4137 4139 10001323 FreeLibrary 4136->4139 4150 1000126b 4136->4150 4137->4134 4140 1000115c NtQuerySystemInformation 4137->4140 4138->4132 4139->4128 4140->4138 4142 1000116f LocalFree 4140->4142 4141->4132 4142->4134 4144 10001180 LocalAlloc 4142->4144 4143->4128 4144->4137 4145->4132 4146 1000103f 8 API calls 4145->4146 4146->4145 4147 100012a2 lstrlenA 4147->4150 4148 1000131c CloseHandle 4148->4139 4149 100012c4 lstrcpynA lstrcmpiA 4149->4150 4150->4139 4150->4147 4150->4148 4150->4149 4151 1000103f 8 API calls 4150->4151 4151->4150 4155 10001475 4152->4155 4156 100013e3 4155->4156 4157 1000147e GlobalAlloc lstrcpynA 4155->4157 4157->4156 4158 401d65 4159 401d78 GetDlgItem 4158->4159 4160 401d6b 4158->4160 4161 401d72 4159->4161 4162 402c17 17 API calls 4160->4162 4163 401db9 GetClientRect LoadImageA SendMessageA 4161->4163 4164 402c39 17 API calls 4161->4164 4162->4161 4166 401e26 4163->4166 4167 401e1a 4163->4167 4164->4163 4167->4166 4168 401e1f DeleteObject 4167->4168 4168->4166 3376 10001426 3377 1000146f 3376->3377 3379 1000142f 3376->3379 3378 1000145f GlobalFree 3378->3377 3379->3377 3379->3378 3380 1000144b lstrcpynA 3379->3380 3380->3378 4169 402766 4170 40276c 4169->4170 4171 402774 FindClose 4170->4171 4172 402ac5 4170->4172 4171->4172 4173 4055e7 4174 405792 4173->4174 4175 405609 GetDlgItem GetDlgItem GetDlgItem 4173->4175 4177 40579a GetDlgItem CreateThread CloseHandle 4174->4177 4180 4057c2 4174->4180 4218 40443a SendMessageA 4175->4218 4177->4180 4178 405679 4184 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4178->4184 4179 4057f0 4183 40584b 4179->4183 4186 405800 4179->4186 4187 405824 ShowWindow 4179->4187 4180->4179 4181 405811 4180->4181 4182 4057d8 ShowWindow ShowWindow 4180->4182 4188 40446c 8 API calls 4181->4188 4220 40443a SendMessageA 4182->4220 4183->4181 4193 405858 SendMessageA 4183->4193 4191 4056d2 SendMessageA SendMessageA 4184->4191 4192 4056ee 4184->4192 4221 4043de 4186->4221 4189 405844 4187->4189 4190 405836 4187->4190 4195 40581d 4188->4195 4197 4043de SendMessageA 4189->4197 4196 4054a9 24 API calls 4190->4196 4191->4192 4198 405701 4192->4198 4199 4056f3 SendMessageA 4192->4199 4193->4195 4200 405871 CreatePopupMenu 4193->4200 4196->4189 4197->4183 4202 404405 18 API calls 4198->4202 4199->4198 4201 40641b 17 API calls 4200->4201 4203 405881 AppendMenuA 4201->4203 4204 405711 4202->4204 4205 4058b2 TrackPopupMenu 4203->4205 4206 40589f GetWindowRect 4203->4206 4207 40571a ShowWindow 4204->4207 4208 40574e GetDlgItem SendMessageA 4204->4208 4205->4195 4210 4058ce 4205->4210 4206->4205 4211 405730 ShowWindow 4207->4211 4212 40573d 4207->4212 4208->4195 4209 405775 SendMessageA SendMessageA 4208->4209 4209->4195 4213 4058ed SendMessageA 4210->4213 4211->4212 4219 40443a SendMessageA 4212->4219 4213->4213 4214 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4213->4214 4216 40592c SendMessageA 4214->4216 4216->4216 4217 40594e GlobalUnlock SetClipboardData CloseClipboard 4216->4217 4217->4195 4218->4178 4219->4208 4220->4179 4222 4043e5 4221->4222 4223 4043eb SendMessageA 4221->4223 4222->4223 4223->4181 4224 404be8 4225 404c14 4224->4225 4226 404bf8 4224->4226 4228 404c47 4225->4228 4229 404c1a SHGetPathFromIDListA 4225->4229 4235 405a82 GetDlgItemTextA 4226->4235 4231 404c31 SendMessageA 4229->4231 4232 404c2a 4229->4232 4230 404c05 SendMessageA 4230->4225 4231->4228 4233 40140b 2 API calls 4232->4233 4233->4231 4235->4230 4236 4023e8 4237 402c39 17 API calls 4236->4237 4238 4023f9 4237->4238 4239 402c39 17 API calls 4238->4239 4240 402402 4239->4240 4241 402c39 17 API calls 4240->4241 4242 40240c GetPrivateProfileStringA 4241->4242 4243 4027e8 4244 402c39 17 API calls 4243->4244 4245 4027f4 4244->4245 4246 40280a 4245->4246 4247 402c39 17 API calls 4245->4247 4248 405ef6 2 API calls 4246->4248 4247->4246 4249 402810 4248->4249 4271 405f1b GetFileAttributesA CreateFileA 4249->4271 4251 40281d 4252 4028d9 4251->4252 4253 4028c1 4251->4253 4254 402838 GlobalAlloc 4251->4254 4255 4028e0 DeleteFileA 4252->4255 4256 4028f3 4252->4256 4258 4031fd 44 API calls 4253->4258 4254->4253 4257 402851 4254->4257 4255->4256 4272 403484 SetFilePointer 4257->4272 4260 4028ce CloseHandle 4258->4260 4260->4252 4261 402857 4262 40346e ReadFile 4261->4262 4263 402860 GlobalAlloc 4262->4263 4264 402870 4263->4264 4265 4028aa 4263->4265 4267 4031fd 44 API calls 4264->4267 4266 405fc2 WriteFile 4265->4266 4268 4028b6 GlobalFree 4266->4268 4270 40287d 4267->4270 4268->4253 4269 4028a1 GlobalFree 4269->4265 4270->4269 4271->4251 4272->4261 4273 40166a 4274 402c39 17 API calls 4273->4274 4275 401671 4274->4275 4276 402c39 17 API calls 4275->4276 4277 40167a 4276->4277 4278 402c39 17 API calls 4277->4278 4279 401683 MoveFileA 4278->4279 4280 401696 4279->4280 4286 40168f 4279->4286 4282 4066ff 2 API calls 4280->4282 4284 4022ea 4280->4284 4281 401423 24 API calls 4281->4284 4283 4016a5 4282->4283 4283->4284 4285 406161 36 API calls 4283->4285 4285->4286 4286->4281 4294 4019ed 4295 402c39 17 API calls 4294->4295 4296 4019f4 4295->4296 4297 402c39 17 API calls 4296->4297 4298 4019fd 4297->4298 4299 401a04 lstrcmpiA 4298->4299 4300 401a16 lstrcmpA 4298->4300 4301 401a0a 4299->4301 4300->4301 4302 40156f 4303 401586 4302->4303 4304 40157f ShowWindow 4302->4304 4305 401594 ShowWindow 4303->4305 4306 402ac5 4303->4306 4304->4303 4305->4306 4307 404570 4308 404586 4307->4308 4313 404692 4307->4313 4311 404405 18 API calls 4308->4311 4309 404701 4310 4047cb 4309->4310 4312 40470b GetDlgItem 4309->4312 4319 40446c 8 API calls 4310->4319 4314 4045dc 4311->4314 4315 404721 4312->4315 4316 404789 4312->4316 4313->4309 4313->4310 4317 4046d6 GetDlgItem SendMessageA 4313->4317 4318 404405 18 API calls 4314->4318 4315->4316 4320 404747 SendMessageA LoadCursorA SetCursor 4315->4320 4316->4310 4321 40479b 4316->4321 4340 404427 EnableWindow 4317->4340 4323 4045e9 CheckDlgButton 4318->4323 4324 4047c6 4319->4324 4344 404814 4320->4344 4326 4047a1 SendMessageA 4321->4326 4327 4047b2 4321->4327 4338 404427 EnableWindow 4323->4338 4326->4327 4327->4324 4331 4047b8 SendMessageA 4327->4331 4328 4046fc 4341 4047f0 4328->4341 4331->4324 4333 404607 GetDlgItem 4339 40443a SendMessageA 4333->4339 4335 40461d SendMessageA 4336 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4335->4336 4337 40463b GetSysColor 4335->4337 4336->4324 4337->4336 4338->4333 4339->4335 4340->4328 4342 404803 SendMessageA 4341->4342 4343 4047fe 4341->4343 4342->4309 4343->4342 4347 405a64 ShellExecuteExA 4344->4347 4346 40477a LoadCursorA SetCursor 4346->4316 4347->4346 4348 402173 4349 402c39 17 API calls 4348->4349 4350 40217a 4349->4350 4351 402c39 17 API calls 4350->4351 4352 402184 4351->4352 4353 402c39 17 API calls 4352->4353 4354 40218e 4353->4354 4355 402c39 17 API calls 4354->4355 4356 40219b 4355->4356 4357 402c39 17 API calls 4356->4357 4358 4021a5 4357->4358 4359 4021e7 CoCreateInstance 4358->4359 4360 402c39 17 API calls 4358->4360 4363 402206 4359->4363 4365 4022b4 4359->4365 4360->4359 4361 401423 24 API calls 4362 4022ea 4361->4362 4364 402294 MultiByteToWideChar 4363->4364 4363->4365 4364->4365 4365->4361 4365->4362 4366 4022f3 4367 402c39 17 API calls 4366->4367 4368 4022f9 4367->4368 4369 402c39 17 API calls 4368->4369 4370 402302 4369->4370 4371 402c39 17 API calls 4370->4371 4372 40230b 4371->4372 4373 4066ff 2 API calls 4372->4373 4374 402314 4373->4374 4375 402325 lstrlenA lstrlenA 4374->4375 4376 402318 4374->4376 4378 4054a9 24 API calls 4375->4378 4377 4054a9 24 API calls 4376->4377 4379 402320 4376->4379 4377->4379 4380 402361 SHFileOperationA 4378->4380 4380->4376 4380->4379 4381 4014f4 SetForegroundWindow 4382 402ac5 4381->4382 4383 402375 4384 40237c 4383->4384 4388 40238f 4383->4388 4385 40641b 17 API calls 4384->4385 4386 402389 4385->4386 4387 405a9e MessageBoxIndirectA 4386->4387 4387->4388 4389 402675 4390 402c17 17 API calls 4389->4390 4391 40267f 4390->4391 4392 405f93 ReadFile 4391->4392 4393 4026ef 4391->4393 4396 4026ff 4391->4396 4397 4026ed 4391->4397 4392->4391 4398 4062e6 wsprintfA 4393->4398 4395 402715 SetFilePointer 4395->4397 4396->4395 4396->4397 4398->4397 4399 4029f6 4400 402a49 4399->4400 4401 4029fd 4399->4401 4402 406794 5 API calls 4400->4402 4403 402c17 17 API calls 4401->4403 4409 402a47 4401->4409 4404 402a50 4402->4404 4405 402a0b 4403->4405 4406 402c39 17 API calls 4404->4406 4407 402c17 17 API calls 4405->4407 4408 402a59 4406->4408 4411 402a1a 4407->4411 4408->4409 4417 4063db 4408->4417 4416 4062e6 wsprintfA 4411->4416 4413 402a67 4413->4409 4421 4063c5 4413->4421 4416->4409 4419 4063e6 4417->4419 4418 406409 IIDFromString 4418->4413 4419->4418 4420 406402 4419->4420 4420->4413 4424 4063aa WideCharToMultiByte 4421->4424 4423 402a88 CoTaskMemFree 4423->4409 4424->4423 4425 401ef9 4426 402c39 17 API calls 4425->4426 4427 401eff 4426->4427 4428 402c39 17 API calls 4427->4428 4429 401f08 4428->4429 4430 402c39 17 API calls 4429->4430 4431 401f11 4430->4431 4432 402c39 17 API calls 4431->4432 4433 401f1a 4432->4433 4434 401423 24 API calls 4433->4434 4435 401f21 4434->4435 4442 405a64 ShellExecuteExA 4435->4442 4437 401f5c 4438 406809 5 API calls 4437->4438 4439 4027c8 4437->4439 4440 401f76 CloseHandle 4438->4440 4440->4439 4442->4437 3914 401f7b 3915 402c39 17 API calls 3914->3915 3916 401f81 3915->3916 3917 4054a9 24 API calls 3916->3917 3918 401f8b 3917->3918 3919 405a21 2 API calls 3918->3919 3920 401f91 3919->3920 3923 4027c8 3920->3923 3928 401fb2 CloseHandle 3920->3928 3929 406809 WaitForSingleObject 3920->3929 3924 401fa6 3925 401fb4 3924->3925 3926 401fab 3924->3926 3925->3928 3934 4062e6 wsprintfA 3926->3934 3928->3923 3930 406823 3929->3930 3931 406835 GetExitCodeProcess 3930->3931 3932 4067d0 2 API calls 3930->3932 3931->3924 3933 40682a WaitForSingleObject 3932->3933 3933->3930 3934->3928 4450 401ffb 4451 402c39 17 API calls 4450->4451 4452 402002 4451->4452 4453 406794 5 API calls 4452->4453 4454 402011 4453->4454 4455 402099 4454->4455 4456 402029 GlobalAlloc 4454->4456 4456->4455 4457 40203d 4456->4457 4458 406794 5 API calls 4457->4458 4459 402044 4458->4459 4460 406794 5 API calls 4459->4460 4461 40204e 4460->4461 4461->4455 4465 4062e6 wsprintfA 4461->4465 4463 402089 4466 4062e6 wsprintfA 4463->4466 4465->4463 4466->4455 3956 403a7c 3957 403a97 3956->3957 3958 403a8d CloseHandle 3956->3958 3959 403aa1 CloseHandle 3957->3959 3960 403aab 3957->3960 3958->3957 3959->3960 3965 403ad9 3960->3965 3963 405b4a 67 API calls 3964 403abc 3963->3964 3966 403ae7 3965->3966 3967 403ab0 3966->3967 3968 403aec FreeLibrary GlobalFree 3966->3968 3967->3963 3968->3967 3968->3968 4467 4018fd 4468 401934 4467->4468 4469 402c39 17 API calls 4468->4469 4470 401939 4469->4470 4471 405b4a 67 API calls 4470->4471 4472 401942 4471->4472 3969 40247e 3970 402c39 17 API calls 3969->3970 3971 402490 3970->3971 3972 402c39 17 API calls 3971->3972 3973 40249a 3972->3973 3986 402cc9 3973->3986 3976 402ac5 3977 4024cf 3979 4024db 3977->3979 3990 402c17 3977->3990 3978 402c39 17 API calls 3980 4024c8 lstrlenA 3978->3980 3982 4024fd RegSetValueExA 3979->3982 3983 4031fd 44 API calls 3979->3983 3980->3977 3984 402513 RegCloseKey 3982->3984 3983->3982 3984->3976 3987 402ce4 3986->3987 3993 40623c 3987->3993 3991 40641b 17 API calls 3990->3991 3992 402c2c 3991->3992 3992->3979 3994 40624b 3993->3994 3995 4024aa 3994->3995 3996 406256 RegCreateKeyExA 3994->3996 3995->3976 3995->3977 3995->3978 3996->3995 4473 401cfe 4474 402c17 17 API calls 4473->4474 4475 401d04 IsWindow 4474->4475 4476 401a0e 4475->4476 4477 401000 4478 401037 BeginPaint GetClientRect 4477->4478 4479 40100c DefWindowProcA 4477->4479 4481 4010f3 4478->4481 4482 401179 4479->4482 4483 401073 CreateBrushIndirect FillRect DeleteObject 4481->4483 4484 4010fc 4481->4484 4483->4481 4485 401102 CreateFontIndirectA 4484->4485 4486 401167 EndPaint 4484->4486 4485->4486 4487 401112 6 API calls 4485->4487 4486->4482 4487->4486 4488 401900 4489 402c39 17 API calls 4488->4489 4490 401907 4489->4490 4491 405a9e MessageBoxIndirectA 4490->4491 4492 401910 4491->4492 4493 402780 4494 402786 4493->4494 4495 40278a FindNextFileA 4494->4495 4496 40279c 4494->4496 4495->4496 4497 4027db 4495->4497 4499 406388 lstrcpynA 4497->4499 4499->4496 4500 401502 4501 40150a 4500->4501 4503 40151d 4500->4503 4502 402c17 17 API calls 4501->4502 4502->4503 4504 401b87 4505 401b94 4504->4505 4506 401bd8 4504->4506 4507 401c1c 4505->4507 4513 401bab 4505->4513 4508 401c01 GlobalAlloc 4506->4508 4509 401bdc 4506->4509 4511 40641b 17 API calls 4507->4511 4518 40238f 4507->4518 4510 40641b 17 API calls 4508->4510 4509->4518 4525 406388 lstrcpynA 4509->4525 4510->4507 4512 402389 4511->4512 4517 405a9e MessageBoxIndirectA 4512->4517 4523 406388 lstrcpynA 4513->4523 4516 401bee GlobalFree 4516->4518 4517->4518 4519 401bba 4524 406388 lstrcpynA 4519->4524 4521 401bc9 4526 406388 lstrcpynA 4521->4526 4523->4519 4524->4521 4525->4516 4526->4518 4527 406a88 4531 40690c 4527->4531 4528 407277 4529 406996 GlobalAlloc 4529->4528 4529->4531 4530 40698d GlobalFree 4530->4529 4531->4528 4531->4529 4531->4530 4532 406a04 GlobalFree 4531->4532 4533 406a0d GlobalAlloc 4531->4533 4532->4533 4533->4528 4533->4531 3381 401389 3383 401390 3381->3383 3382 4013fe 3383->3382 3384 4013cb MulDiv SendMessageA 3383->3384 3384->3383 4534 404e0a GetDlgItem GetDlgItem 4535 404e60 7 API calls 4534->4535 4542 405087 4534->4542 4536 404f08 DeleteObject 4535->4536 4537 404efc SendMessageA 4535->4537 4538 404f13 4536->4538 4537->4536 4540 404f4a 4538->4540 4543 40641b 17 API calls 4538->4543 4539 405169 4541 405215 4539->4541 4545 40507a 4539->4545 4551 4051c2 SendMessageA 4539->4551 4544 404405 18 API calls 4540->4544 4546 405227 4541->4546 4547 40521f SendMessageA 4541->4547 4542->4539 4566 4050f6 4542->4566 4588 404d58 SendMessageA 4542->4588 4548 404f2c SendMessageA SendMessageA 4543->4548 4549 404f5e 4544->4549 4553 40446c 8 API calls 4545->4553 4558 405240 4546->4558 4559 405239 ImageList_Destroy 4546->4559 4563 405250 4546->4563 4547->4546 4548->4538 4550 404405 18 API calls 4549->4550 4567 404f6f 4550->4567 4551->4545 4556 4051d7 SendMessageA 4551->4556 4552 40515b SendMessageA 4552->4539 4557 405416 4553->4557 4555 4053ca 4555->4545 4564 4053dc ShowWindow GetDlgItem ShowWindow 4555->4564 4561 4051ea 4556->4561 4562 405249 GlobalFree 4558->4562 4558->4563 4559->4558 4560 405049 GetWindowLongA SetWindowLongA 4565 405062 4560->4565 4573 4051fb SendMessageA 4561->4573 4562->4563 4563->4555 4568 40528b 4563->4568 4593 404dd8 4563->4593 4564->4545 4569 405067 ShowWindow 4565->4569 4570 40507f 4565->4570 4566->4539 4566->4552 4567->4560 4572 404fc1 SendMessageA 4567->4572 4574 405044 4567->4574 4576 405013 SendMessageA 4567->4576 4577 404fff SendMessageA 4567->4577 4581 4052b9 SendMessageA 4568->4581 4585 4052cf 4568->4585 4586 40443a SendMessageA 4569->4586 4587 40443a SendMessageA 4570->4587 4572->4567 4573->4541 4574->4560 4574->4565 4576->4567 4577->4567 4579 405395 4580 4053a0 InvalidateRect 4579->4580 4582 4053ac 4579->4582 4580->4582 4581->4585 4582->4555 4602 404d13 4582->4602 4584 405343 SendMessageA SendMessageA 4584->4585 4585->4579 4585->4584 4586->4545 4587->4542 4589 404db7 SendMessageA 4588->4589 4590 404d7b GetMessagePos ScreenToClient SendMessageA 4588->4590 4592 404daf 4589->4592 4591 404db4 4590->4591 4590->4592 4591->4589 4592->4566 4605 406388 lstrcpynA 4593->4605 4595 404deb 4606 4062e6 wsprintfA 4595->4606 4597 404df5 4598 40140b 2 API calls 4597->4598 4599 404dfe 4598->4599 4607 406388 lstrcpynA 4599->4607 4601 404e05 4601->4568 4608 404c4e 4602->4608 4604 404d28 4604->4555 4605->4595 4606->4597 4607->4601 4609 404c64 4608->4609 4610 40641b 17 API calls 4609->4610 4611 404cc8 4610->4611 4612 40641b 17 API calls 4611->4612 4613 404cd3 4612->4613 4614 40641b 17 API calls 4613->4614 4615 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4614->4615 4615->4604 4616 40298a 4617 402c17 17 API calls 4616->4617 4619 402990 4617->4619 4618 40641b 17 API calls 4620 4027c8 4618->4620 4619->4618 4619->4620 4621 403f0b 4622 403f23 4621->4622 4623 404084 4621->4623 4622->4623 4624 403f2f 4622->4624 4625 4040d5 4623->4625 4626 404095 GetDlgItem GetDlgItem 4623->4626 4627 403f3a SetWindowPos 4624->4627 4628 403f4d 4624->4628 4630 40412f 4625->4630 4641 401389 2 API calls 4625->4641 4629 404405 18 API calls 4626->4629 4627->4628 4632 403f56 ShowWindow 4628->4632 4633 403f98 4628->4633 4634 4040bf SetClassLongA 4629->4634 4631 404451 SendMessageA 4630->4631 4635 40407f 4630->4635 4662 404141 4631->4662 4636 404042 4632->4636 4637 403f76 GetWindowLongA 4632->4637 4638 403fa0 DestroyWindow 4633->4638 4639 403fb7 4633->4639 4640 40140b 2 API calls 4634->4640 4642 40446c 8 API calls 4636->4642 4637->4636 4643 403f8f ShowWindow 4637->4643 4691 40438e 4638->4691 4644 403fbc SetWindowLongA 4639->4644 4645 403fcd 4639->4645 4640->4625 4646 404107 4641->4646 4642->4635 4643->4633 4644->4635 4645->4636 4650 403fd9 GetDlgItem 4645->4650 4646->4630 4647 40410b SendMessageA 4646->4647 4647->4635 4648 40140b 2 API calls 4648->4662 4649 404390 DestroyWindow EndDialog 4649->4691 4652 404007 4650->4652 4653 403fea SendMessageA IsWindowEnabled 4650->4653 4651 4043bf ShowWindow 4651->4635 4655 404014 4652->4655 4656 40405b SendMessageA 4652->4656 4657 404027 4652->4657 4665 40400c 4652->4665 4653->4635 4653->4652 4654 40641b 17 API calls 4654->4662 4655->4656 4655->4665 4656->4636 4660 404044 4657->4660 4661 40402f 4657->4661 4658 4043de SendMessageA 4658->4636 4659 404405 18 API calls 4659->4662 4664 40140b 2 API calls 4660->4664 4663 40140b 2 API calls 4661->4663 4662->4635 4662->4648 4662->4649 4662->4654 4662->4659 4666 404405 18 API calls 4662->4666 4682 4042d0 DestroyWindow 4662->4682 4663->4665 4664->4665 4665->4636 4665->4658 4667 4041bc GetDlgItem 4666->4667 4668 4041d1 4667->4668 4669 4041d9 ShowWindow EnableWindow 4667->4669 4668->4669 4692 404427 EnableWindow 4669->4692 4671 404203 EnableWindow 4676 404217 4671->4676 4672 40421c GetSystemMenu EnableMenuItem SendMessageA 4673 40424c SendMessageA 4672->4673 4672->4676 4673->4676 4675 403eec 18 API calls 4675->4676 4676->4672 4676->4675 4693 40443a SendMessageA 4676->4693 4694 406388 lstrcpynA 4676->4694 4678 40427b lstrlenA 4679 40641b 17 API calls 4678->4679 4680 40428c SetWindowTextA 4679->4680 4681 401389 2 API calls 4680->4681 4681->4662 4683 4042ea CreateDialogParamA 4682->4683 4682->4691 4684 40431d 4683->4684 4683->4691 4685 404405 18 API calls 4684->4685 4686 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4685->4686 4687 401389 2 API calls 4686->4687 4688 40436e 4687->4688 4688->4635 4689 404376 ShowWindow 4688->4689 4690 404451 SendMessageA 4689->4690 4690->4691 4691->4635 4691->4651 4692->4671 4693->4676 4694->4678 4695 40260c 4696 402c39 17 API calls 4695->4696 4697 402613 4696->4697 4700 405f1b GetFileAttributesA CreateFileA 4697->4700 4699 40261f 4700->4699 3778 100010d0 GetVersionExA 3779 10001106 3778->3779 3780 100010fc 3778->3780 3781 10001122 LoadLibraryW 3779->3781 3782 1000110e 3779->3782 3784 100011a5 3781->3784 3785 1000113b GetProcAddress 3781->3785 3782->3780 3783 10001225 LoadLibraryA 3782->3783 3783->3780 3788 1000123d GetProcAddress GetProcAddress GetProcAddress 3783->3788 3784->3780 3793 100011c1 WideCharToMultiByte lstrcmpiA 3784->3793 3795 10001217 LocalFree 3784->3795 3797 100011f7 3784->3797 3786 1000118e 3785->3786 3787 1000114e LocalAlloc 3785->3787 3790 1000119a FreeLibrary 3786->3790 3789 10001189 3787->3789 3791 10001323 FreeLibrary 3788->3791 3802 1000126b 3788->3802 3789->3786 3792 1000115c NtQuerySystemInformation 3789->3792 3790->3784 3791->3780 3792->3790 3794 1000116f LocalFree 3792->3794 3793->3784 3794->3786 3796 10001180 LocalAlloc 3794->3796 3795->3780 3796->3789 3797->3784 3804 1000103f OpenProcess 3797->3804 3799 100012a2 lstrlenA 3799->3802 3800 1000131c CloseHandle 3800->3791 3801 100012c4 lstrcpynA lstrcmpiA 3801->3802 3802->3791 3802->3799 3802->3800 3802->3801 3803 1000103f 8 API calls 3802->3803 3803->3802 3805 10001060 3804->3805 3806 100010cb 3804->3806 3807 1000106b EnumWindows 3805->3807 3808 100010ac TerminateProcess 3805->3808 3806->3797 3807->3808 3809 1000107f GetExitCodeProcess 3807->3809 3814 10001007 GetWindowThreadProcessId 3807->3814 3810 100010be CloseHandle 3808->3810 3811 100010a7 3808->3811 3809->3811 3812 1000108e 3809->3812 3810->3806 3811->3810 3812->3811 3813 10001097 WaitForSingleObject 3812->3813 3813->3808 3813->3811 3815 10001024 PostMessageA 3814->3815 3816 10001036 3814->3816 3815->3816 4701 401490 4702 4054a9 24 API calls 4701->4702 4703 401497 4702->4703 4704 402590 4705 402c79 17 API calls 4704->4705 4706 40259a 4705->4706 4707 402c17 17 API calls 4706->4707 4708 4025a3 4707->4708 4709 4025ca RegEnumValueA 4708->4709 4710 4025be RegEnumKeyA 4708->4710 4712 4027c8 4708->4712 4711 4025df RegCloseKey 4709->4711 4710->4711 4711->4712 4714 406d91 4716 40690c 4714->4716 4715 407277 4716->4715 4716->4716 4717 406996 GlobalAlloc 4716->4717 4718 40698d GlobalFree 4716->4718 4719 406a04 GlobalFree 4716->4719 4720 406a0d GlobalAlloc 4716->4720 4717->4715 4717->4716 4718->4717 4719->4720 4720->4715 4720->4716 4721 404897 4722 4048c3 4721->4722 4723 4048d4 4721->4723 4782 405a82 GetDlgItemTextA 4722->4782 4725 4048e0 GetDlgItem 4723->4725 4726 40493f 4723->4726 4728 4048f4 4725->4728 4733 40641b 17 API calls 4726->4733 4742 404a23 4726->4742 4780 404bcd 4726->4780 4727 4048ce 4729 406666 5 API calls 4727->4729 4731 404908 SetWindowTextA 4728->4731 4732 405db3 4 API calls 4728->4732 4729->4723 4735 404405 18 API calls 4731->4735 4737 4048fe 4732->4737 4738 4049b3 SHBrowseForFolderA 4733->4738 4734 404a53 4739 405e08 18 API calls 4734->4739 4740 404924 4735->4740 4736 40446c 8 API calls 4741 404be1 4736->4741 4737->4731 4746 405d1a 3 API calls 4737->4746 4738->4742 4743 4049cb CoTaskMemFree 4738->4743 4744 404a59 4739->4744 4745 404405 18 API calls 4740->4745 4742->4780 4784 405a82 GetDlgItemTextA 4742->4784 4747 405d1a 3 API calls 4743->4747 4785 406388 lstrcpynA 4744->4785 4748 404932 4745->4748 4746->4731 4749 4049d8 4747->4749 4783 40443a SendMessageA 4748->4783 4752 404a0f SetDlgItemTextA 4749->4752 4757 40641b 17 API calls 4749->4757 4752->4742 4753 404938 4755 406794 5 API calls 4753->4755 4754 404a70 4756 406794 5 API calls 4754->4756 4755->4726 4763 404a77 4756->4763 4758 4049f7 lstrcmpiA 4757->4758 4758->4752 4761 404a08 lstrcatA 4758->4761 4759 404ab3 4786 406388 lstrcpynA 4759->4786 4761->4752 4762 404aba 4764 405db3 4 API calls 4762->4764 4763->4759 4767 405d61 2 API calls 4763->4767 4769 404b0b 4763->4769 4765 404ac0 GetDiskFreeSpaceA 4764->4765 4768 404ae4 MulDiv 4765->4768 4765->4769 4767->4763 4768->4769 4770 404b7c 4769->4770 4772 404d13 20 API calls 4769->4772 4771 404b9f 4770->4771 4773 40140b 2 API calls 4770->4773 4787 404427 EnableWindow 4771->4787 4774 404b69 4772->4774 4773->4771 4776 404b7e SetDlgItemTextA 4774->4776 4777 404b6e 4774->4777 4776->4770 4779 404c4e 20 API calls 4777->4779 4778 404bbb 4778->4780 4781 4047f0 SendMessageA 4778->4781 4779->4770 4780->4736 4781->4780 4782->4727 4783->4753 4784->4734 4785->4754 4786->4762 4787->4778 4788 40541d 4789 405441 4788->4789 4790 40542d 4788->4790 4793 405449 IsWindowVisible 4789->4793 4799 405460 4789->4799 4791 405433 4790->4791 4792 40548a 4790->4792 4794 404451 SendMessageA 4791->4794 4796 40548f CallWindowProcA 4792->4796 4793->4792 4795 405456 4793->4795 4797 40543d 4794->4797 4798 404d58 5 API calls 4795->4798 4796->4797 4798->4799 4799->4796 4800 404dd8 4 API calls 4799->4800 4800->4792 4801 40149d 4802 4014ab PostQuitMessage 4801->4802 4803 40238f 4801->4803 4802->4803 4804 40159d 4805 402c39 17 API calls 4804->4805 4806 4015a4 SetFileAttributesA 4805->4806 4807 4015b6 4806->4807 3997 40251e 4008 402c79 3997->4008 4000 402c39 17 API calls 4001 402531 4000->4001 4002 40253b RegQueryValueExA 4001->4002 4006 4027c8 4001->4006 4003 402561 RegCloseKey 4002->4003 4004 40255b 4002->4004 4003->4006 4004->4003 4013 4062e6 wsprintfA 4004->4013 4009 402c39 17 API calls 4008->4009 4010 402c90 4009->4010 4011 40620e RegOpenKeyExA 4010->4011 4012 402528 4011->4012 4012->4000 4013->4003 4808 401a1e 4809 402c39 17 API calls 4808->4809 4810 401a27 ExpandEnvironmentStringsA 4809->4810 4811 401a3b 4810->4811 4813 401a4e 4810->4813 4812 401a40 lstrcmpA 4811->4812 4811->4813 4812->4813 4819 40171f 4820 402c39 17 API calls 4819->4820 4821 401726 SearchPathA 4820->4821 4822 401741 4821->4822 4823 401d1f 4824 402c17 17 API calls 4823->4824 4825 401d26 4824->4825 4826 402c17 17 API calls 4825->4826 4827 401d32 GetDlgItem 4826->4827 4828 402628 4827->4828 4829 402aa0 SendMessageA 4830 402ac5 4829->4830 4831 402aba InvalidateRect 4829->4831 4831->4830 4832 10001363 4833 10001426 2 API calls 4832->4833 4834 1000138f 4833->4834 4835 100010d0 28 API calls 4834->4835 4836 10001399 4835->4836 4837 100014ba 3 API calls 4836->4837 4838 100013a2 4837->4838 4839 4023a4 4840 4023b2 4839->4840 4841 4023ac 4839->4841 4843 4023c2 4840->4843 4845 402c39 17 API calls 4840->4845 4842 402c39 17 API calls 4841->4842 4842->4840 4844 4023d0 4843->4844 4846 402c39 17 API calls 4843->4846 4847 402c39 17 API calls 4844->4847 4845->4843 4846->4844 4848 4023d9 WritePrivateProfileStringA 4847->4848 3286 4020a5 3287 4020b7 3286->3287 3297 402165 3286->3297 3304 402c39 3287->3304 3289 401423 24 API calls 3292 4022ea 3289->3292 3291 402c39 17 API calls 3293 4020c7 3291->3293 3294 4020dc LoadLibraryExA 3293->3294 3295 4020cf GetModuleHandleA 3293->3295 3296 4020ec GetProcAddress 3294->3296 3294->3297 3295->3294 3295->3296 3298 402138 3296->3298 3299 4020fb 3296->3299 3297->3289 3313 4054a9 3298->3313 3302 40210b 3299->3302 3310 401423 3299->3310 3302->3292 3303 402159 FreeLibrary 3302->3303 3303->3292 3305 402c45 3304->3305 3324 40641b 3305->3324 3307 4020be 3307->3291 3311 4054a9 24 API calls 3310->3311 3312 401431 3311->3312 3312->3302 3314 4054c4 3313->3314 3323 405567 3313->3323 3315 4054e1 lstrlenA 3314->3315 3316 40641b 17 API calls 3314->3316 3317 40550a 3315->3317 3318 4054ef lstrlenA 3315->3318 3316->3315 3320 405510 SetWindowTextA 3317->3320 3321 40551d 3317->3321 3319 405501 lstrcatA 3318->3319 3318->3323 3319->3317 3320->3321 3322 405523 SendMessageA SendMessageA SendMessageA 3321->3322 3321->3323 3322->3323 3323->3302 3325 406428 3324->3325 3326 40664d 3325->3326 3329 406627 lstrlenA 3325->3329 3330 40641b 10 API calls 3325->3330 3334 406543 GetSystemDirectoryA 3325->3334 3335 406556 GetWindowsDirectoryA 3325->3335 3336 406666 5 API calls 3325->3336 3337 40641b 10 API calls 3325->3337 3338 4065d0 lstrcatA 3325->3338 3339 40658a SHGetSpecialFolderLocation 3325->3339 3350 40626f 3325->3350 3355 4062e6 wsprintfA 3325->3355 3356 406388 lstrcpynA 3325->3356 3327 402c66 3326->3327 3357 406388 lstrcpynA 3326->3357 3327->3307 3341 406666 3327->3341 3329->3325 3330->3329 3334->3325 3335->3325 3336->3325 3337->3325 3338->3325 3339->3325 3340 4065a2 SHGetPathFromIDListA CoTaskMemFree 3339->3340 3340->3325 3347 406672 3341->3347 3342 4066da 3343 4066de CharPrevA 3342->3343 3346 4066f9 3342->3346 3343->3342 3344 4066cf CharNextA 3344->3342 3344->3347 3346->3307 3347->3342 3347->3344 3348 4066bd CharNextA 3347->3348 3349 4066ca CharNextA 3347->3349 3362 405d45 3347->3362 3348->3347 3349->3344 3358 40620e 3350->3358 3353 4062a3 RegQueryValueExA RegCloseKey 3354 4062d2 3353->3354 3354->3325 3355->3325 3356->3325 3357->3327 3359 40621d 3358->3359 3360 406221 3359->3360 3361 406226 RegOpenKeyExA 3359->3361 3360->3353 3360->3354 3361->3360 3363 405d4b 3362->3363 3364 405d5e 3363->3364 3365 405d51 CharNextA 3363->3365 3364->3347 3365->3363 4849 402e25 4850 402e34 SetTimer 4849->4850 4851 402e4d 4849->4851 4850->4851 4852 402e9b 4851->4852 4853 402ea1 MulDiv 4851->4853 4854 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4853->4854 4854->4852 4870 402429 4871 402430 4870->4871 4872 40245b 4870->4872 4873 402c79 17 API calls 4871->4873 4874 402c39 17 API calls 4872->4874 4875 402437 4873->4875 4876 402462 4874->4876 4878 402c39 17 API calls 4875->4878 4879 40246f 4875->4879 4881 402cf7 4876->4881 4880 402448 RegDeleteValueA RegCloseKey 4878->4880 4880->4879 4882 402d03 4881->4882 4883 402d0a 4881->4883 4882->4879 4883->4882 4885 402d3b 4883->4885 4886 40620e RegOpenKeyExA 4885->4886 4887 402d69 4886->4887 4888 402d79 RegEnumValueA 4887->4888 4889 402d9c 4887->4889 4896 402e13 4887->4896 4888->4889 4890 402e03 RegCloseKey 4888->4890 4889->4890 4891 402dd8 RegEnumKeyA 4889->4891 4892 402de1 RegCloseKey 4889->4892 4895 402d3b 6 API calls 4889->4895 4890->4896 4891->4889 4891->4892 4893 406794 5 API calls 4892->4893 4894 402df1 4893->4894 4894->4896 4897 402df5 RegDeleteKeyA 4894->4897 4895->4889 4896->4882 4897->4896 4898 4027aa 4899 402c39 17 API calls 4898->4899 4900 4027b1 FindFirstFileA 4899->4900 4901 4027d4 4900->4901 4902 4027c4 4900->4902 4903 4027db 4901->4903 4906 4062e6 wsprintfA 4901->4906 4907 406388 lstrcpynA 4903->4907 4906->4903 4907->4902 4908 403b2c 4909 403b37 4908->4909 4910 403b3b 4909->4910 4911 403b3e GlobalAlloc 4909->4911 4911->4910 4912 401c2e 4913 402c17 17 API calls 4912->4913 4914 401c35 4913->4914 4915 402c17 17 API calls 4914->4915 4916 401c42 4915->4916 4917 402c39 17 API calls 4916->4917 4918 401c57 4916->4918 4917->4918 4919 401c67 4918->4919 4920 402c39 17 API calls 4918->4920 4921 401c72 4919->4921 4922 401cbe 4919->4922 4920->4919 4924 402c17 17 API calls 4921->4924 4923 402c39 17 API calls 4922->4923 4925 401cc3 4923->4925 4926 401c77 4924->4926 4927 402c39 17 API calls 4925->4927 4928 402c17 17 API calls 4926->4928 4929 401ccc FindWindowExA 4927->4929 4930 401c83 4928->4930 4933 401cea 4929->4933 4931 401c90 SendMessageTimeoutA 4930->4931 4932 401cae SendMessageA 4930->4932 4931->4933 4932->4933 4934 40262e 4935 402633 4934->4935 4936 402647 4934->4936 4937 402c17 17 API calls 4935->4937 4938 402c39 17 API calls 4936->4938 4940 40263c 4937->4940 4939 40264e lstrlenA 4938->4939 4939->4940 4941 402670 4940->4941 4942 405fc2 WriteFile 4940->4942 4942->4941 3817 401932 3818 401934 3817->3818 3819 402c39 17 API calls 3818->3819 3820 401939 3819->3820 3823 405b4a 3820->3823 3824 405e08 18 API calls 3823->3824 3825 405b6a 3824->3825 3826 405b72 DeleteFileA 3825->3826 3827 405b89 3825->3827 3856 401942 3826->3856 3828 405cb7 3827->3828 3860 406388 lstrcpynA 3827->3860 3833 4066ff 2 API calls 3828->3833 3828->3856 3830 405baf 3831 405bc2 3830->3831 3832 405bb5 lstrcatA 3830->3832 3835 405d61 2 API calls 3831->3835 3834 405bc8 3832->3834 3836 405cdb 3833->3836 3837 405bd6 lstrcatA 3834->3837 3838 405be1 lstrlenA FindFirstFileA 3834->3838 3835->3834 3839 405d1a 3 API calls 3836->3839 3836->3856 3837->3838 3838->3828 3847 405c05 3838->3847 3841 405ce5 3839->3841 3840 405d45 CharNextA 3840->3847 3842 405b02 5 API calls 3841->3842 3843 405cf1 3842->3843 3844 405cf5 3843->3844 3845 405d0b 3843->3845 3851 4054a9 24 API calls 3844->3851 3844->3856 3846 4054a9 24 API calls 3845->3846 3846->3856 3847->3840 3848 405c96 FindNextFileA 3847->3848 3855 405b4a 60 API calls 3847->3855 3857 4054a9 24 API calls 3847->3857 3858 4054a9 24 API calls 3847->3858 3859 406161 36 API calls 3847->3859 3861 406388 lstrcpynA 3847->3861 3862 405b02 3847->3862 3848->3847 3850 405cae FindClose 3848->3850 3850->3828 3852 405d02 3851->3852 3853 406161 36 API calls 3852->3853 3853->3856 3855->3847 3857->3848 3858->3847 3859->3847 3860->3830 3861->3847 3870 405ef6 GetFileAttributesA 3862->3870 3865 405b2f 3865->3847 3866 405b25 DeleteFileA 3868 405b2b 3866->3868 3867 405b1d RemoveDirectoryA 3867->3868 3868->3865 3869 405b3b SetFileAttributesA 3868->3869 3869->3865 3871 405b0e 3870->3871 3872 405f08 SetFileAttributesA 3870->3872 3871->3865 3871->3866 3871->3867 3872->3871 4943 402733 4944 40273a 4943->4944 4946 402a47 4943->4946 4945 402c17 17 API calls 4944->4945 4947 402741 4945->4947 4948 402750 SetFilePointer 4947->4948 4948->4946 4949 402760 4948->4949 4951 4062e6 wsprintfA 4949->4951 4951->4946 4952 401e35 GetDC 4953 402c17 17 API calls 4952->4953 4954 401e47 GetDeviceCaps MulDiv ReleaseDC 4953->4954 4955 402c17 17 API calls 4954->4955 4956 401e78 4955->4956 4957 40641b 17 API calls 4956->4957 4958 401eb5 CreateFontIndirectA 4957->4958 4959 402628 4958->4959 4960 4014b7 4961 4014bd 4960->4961 4962 401389 2 API calls 4961->4962 4963 4014c5 4962->4963 3935 4015bb 3936 402c39 17 API calls 3935->3936 3937 4015c2 3936->3937 3938 405db3 4 API calls 3937->3938 3948 4015ca 3938->3948 3939 401624 3941 401652 3939->3941 3942 401629 3939->3942 3940 405d45 CharNextA 3940->3948 3944 401423 24 API calls 3941->3944 3943 401423 24 API calls 3942->3943 3945 401630 3943->3945 3951 40164a 3944->3951 3955 406388 lstrcpynA 3945->3955 3946 4059ec 2 API calls 3946->3948 3948->3939 3948->3940 3948->3946 3949 405a09 5 API calls 3948->3949 3952 40160c GetFileAttributesA 3948->3952 3954 4015f3 3948->3954 3949->3948 3950 40163b SetCurrentDirectoryA 3950->3951 3952->3948 3953 40596f 4 API calls 3953->3954 3954->3948 3954->3953 3955->3950 4964 40453b lstrcpynA lstrlenA 4965 4016bb 4966 402c39 17 API calls 4965->4966 4967 4016c1 GetFullPathNameA 4966->4967 4968 4016d8 4967->4968 4974 4016f9 4967->4974 4971 4066ff 2 API calls 4968->4971 4968->4974 4969 402ac5 4970 40170d GetShortPathNameA 4970->4969 4972 4016e9 4971->4972 4972->4974 4975 406388 lstrcpynA 4972->4975 4974->4969 4974->4970 4975->4974

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 18 4035e5 11->18 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 18->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 32 40362d 27->32 32->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 66 403772 47->66 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 55 403734-403762 51->55 56 403724-40372a 51->56 60 4036e7-4036e9 52->60 61 4036eb 52->61 69 403821-403827 53->69 70 4038ae-4038bf ExitProcess OleUninitialize 53->70 54->53 68 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->68 55->47 65 40377f-40378c call 406388 55->65 62 403730 56->62 63 40372c-40372e 56->63 60->51 60->61 61->51 62->55 63->55 63->62 65->43 66->38 68->53 68->70 73 403829-403834 call 405d45 69->73 74 40389f-4038a6 call 403b6e 69->74 75 4038c5-4038d4 call 405a9e ExitProcess 70->75 76 4039e8-4039ee 70->76 91 403836-40385f 73->91 92 40386a-403873 73->92 85 4038ab 74->85 77 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->77 78 403a66-403a6e 76->78 83 403a36-403a44 call 406794 77->83 84 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 77->84 87 403a70 78->87 88 403a73-403a76 ExitProcess 78->88 99 403a52-403a5d ExitWindowsEx 83->99 100 403a46-403a50 83->100 84->83 85->70 87->88 96 403861-403863 91->96 93 403875-403883 call 405e08 92->93 94 4038da-4038ee call 405a09 lstrcatA 92->94 93->70 107 403885-40389b call 406388 * 2 93->107 105 4038f0-4038f6 lstrcatA 94->105 106 4038fb-403915 lstrcatA lstrcmpiA 94->106 96->92 101 403865-403868 96->101 99->78 104 403a5f-403a61 call 40140b 99->104 100->99 100->104 101->92 101->96 104->78 105->106 106->70 110 403917-40391a 106->110 107->74 112 403923 call 4059ec 110->112 113 40391c-403921 call 40596f 110->113 120 403928-403936 SetCurrentDirectoryA 112->120 113->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->70 141->129
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00008001), ref: 004034EF
                                                                                                                                                                                                                            • GetVersionExA.KERNEL32(?), ref: 00403518
                                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                                                                                                                                                                                                                            • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                                                                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040363C
                                                                                                                                                                                                                            • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                                                                                                                                                                                                                            • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                                                                                                                                                                                                                            • CharNextA.USER32(00000000,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000020,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000000,?,00000007,00000009,0000000B), ref: 004036A9
                                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                                                                                                                                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                                                                                                                                                                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                                                                                                                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                                                                                                                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
                                                                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                                                                                                                                                                                                                            • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 004038D4
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                                                                                                                                                                                                                            • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                                                                                                                                                                                                                            • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\4CC4.exe,0041F910,00000001), ref: 0040399B
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                                                                                                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                                                                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                                                                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403A76
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                                                            • String ID: "$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\4CC4.exe$C:\Users\user\AppData\Local\Temp\4CC4.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\update$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                            • API String ID: 2882342585-2495169752
                                                                                                                                                                                                                            • Opcode ID: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                                                                                                                                                                                                                            • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                                                                                                                                                                                                                            Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 216 100010d0-100010fa GetVersionExA 217 10001106-1000110c 216->217 218 100010fc-10001101 216->218 219 10001122-10001139 LoadLibraryW 217->219 220 1000110e-10001112 217->220 221 1000135d-10001362 218->221 224 100011a5 219->224 225 1000113b-1000114c GetProcAddress 219->225 222 10001225-10001237 LoadLibraryA 220->222 223 10001118-1000111d 220->223 229 10001332-10001337 222->229 230 1000123d-10001265 GetProcAddress * 3 222->230 226 1000135b-1000135c 223->226 231 100011aa-100011ae 224->231 227 10001195 225->227 228 1000114e-1000115a LocalAlloc 225->228 226->221 233 1000119a-100011a3 FreeLibrary 227->233 232 10001189-1000118c 228->232 229->226 234 10001323-10001326 FreeLibrary 230->234 235 1000126b-1000126d 230->235 236 100011b0-100011b2 231->236 237 100011b7 231->237 240 1000115c-1000116d NtQuerySystemInformation 232->240 241 1000118e-10001193 232->241 233->231 239 1000132c-10001330 234->239 235->234 242 10001273-10001275 235->242 236->226 238 100011ba-100011bf 237->238 243 100011c1-100011ec WideCharToMultiByte lstrcmpiA 238->243 244 1000120d-10001211 238->244 239->229 245 10001339-1000133d 239->245 240->233 246 1000116f-1000117e LocalFree 240->246 241->233 242->234 247 1000127b-10001286 242->247 243->244 248 100011ee-100011f5 243->248 251 10001213-10001215 244->251 252 10001217-10001220 LocalFree 244->252 249 10001359 245->249 250 1000133f-10001343 245->250 246->241 253 10001180-10001187 LocalAlloc 246->253 247->234 258 1000128c-100012a0 247->258 248->252 254 100011f7-1000120a call 1000103f 248->254 249->226 255 10001345-1000134a 250->255 256 1000134c-10001350 250->256 251->238 252->239 253->232 254->244 255->226 256->249 260 10001352-10001357 256->260 263 10001318-1000131a 258->263 260->226 264 100012a2-100012b6 lstrlenA 263->264 265 1000131c-1000131d CloseHandle 263->265 266 100012bd-100012c2 264->266 265->234 267 100012c4-100012ea lstrcpynA lstrcmpiA 266->267 268 100012b8-100012ba 266->268 270 100012ec-100012f3 267->270 271 1000130e-10001315 267->271 268->267 269 100012bc 268->269 269->266 270->265 272 100012f5-1000130b call 1000103f 270->272 271->263 272->271
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetVersionExA.KERNEL32(?), ref: 100010F2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3971356135.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971316569.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971399582.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971440463.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Version
                                                                                                                                                                                                                            • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                                                                                                                                                                                                                            • API String ID: 1889659487-877962304
                                                                                                                                                                                                                            • Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                                                                                                                                                                                            • Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50
                                                                                                                                                                                                                            Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 446 405b4a-405b70 call 405e08 449 405b72-405b84 DeleteFileA 446->449 450 405b89-405b90 446->450 451 405d13-405d17 449->451 452 405b92-405b94 450->452 453 405ba3-405bb3 call 406388 450->453 454 405cc1-405cc6 452->454 455 405b9a-405b9d 452->455 461 405bc2-405bc3 call 405d61 453->461 462 405bb5-405bc0 lstrcatA 453->462 454->451 457 405cc8-405ccb 454->457 455->453 455->454 459 405cd5-405cdd call 4066ff 457->459 460 405ccd-405cd3 457->460 459->451 470 405cdf-405cf3 call 405d1a call 405b02 459->470 460->451 464 405bc8-405bcb 461->464 462->464 467 405bd6-405bdc lstrcatA 464->467 468 405bcd-405bd4 464->468 469 405be1-405bff lstrlenA FindFirstFileA 467->469 468->467 468->469 471 405c05-405c1c call 405d45 469->471 472 405cb7-405cbb 469->472 485 405cf5-405cf8 470->485 486 405d0b-405d0e call 4054a9 470->486 479 405c27-405c2a 471->479 480 405c1e-405c22 471->480 472->454 474 405cbd 472->474 474->454 483 405c2c-405c31 479->483 484 405c3d-405c4b call 406388 479->484 480->479 482 405c24 480->482 482->479 488 405c33-405c35 483->488 489 405c96-405ca8 FindNextFileA 483->489 497 405c62-405c6d call 405b02 484->497 498 405c4d-405c55 484->498 485->460 491 405cfa-405d09 call 4054a9 call 406161 485->491 486->451 488->484 492 405c37-405c3b 488->492 489->471 494 405cae-405cb1 FindClose 489->494 491->451 492->484 492->489 494->472 506 405c8e-405c91 call 4054a9 497->506 507 405c6f-405c72 497->507 498->489 501 405c57-405c60 call 405b4a 498->501 501->489 506->489 508 405c74-405c84 call 4054a9 call 406161 507->508 509 405c86-405c8c 507->509 508->489 509->489
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405B73
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405BBB
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405BDC
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405BE2
                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405BF3
                                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405CB1
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\4CC4.exe$\*.*
                                                                                                                                                                                                                            • API String ID: 2035342205-4130168296
                                                                                                                                                                                                                            • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                                                                                                                                                                            • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                                                                                                                                                                                                                            Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 713 406a88-406a8d 714 406afe-406b1c 713->714 715 406a8f-406abe 713->715 716 4070f4-407109 714->716 717 406ac0-406ac3 715->717 718 406ac5-406ac9 715->718 719 407123-407139 716->719 720 40710b-407121 716->720 721 406ad5-406ad8 717->721 722 406ad1 718->722 723 406acb-406acf 718->723 724 40713c-407143 719->724 720->724 725 406af6-406af9 721->725 726 406ada-406ae3 721->726 722->721 723->721 728 407145-407149 724->728 729 40716a-407176 724->729 727 406ccb-406ce9 725->727 730 406ae5 726->730 731 406ae8-406af4 726->731 732 406d01-406d13 727->732 733 406ceb-406cff 727->733 734 4072f8-407302 728->734 735 40714f-407167 728->735 742 40690c-406915 729->742 730->731 737 406b5e-406b8c 731->737 741 406d16-406d20 732->741 733->741 740 40730e-407321 734->740 735->729 738 406ba8-406bc2 737->738 739 406b8e-406ba6 737->739 743 406bc5-406bcf 738->743 739->743 748 407326-40732a 740->748 746 406d22 741->746 747 406cc3-406cc9 741->747 744 407323 742->744 745 40691b 742->745 750 406bd5 743->750 751 406b46-406b4c 743->751 744->748 752 406922-406926 745->752 753 406a62-406a83 745->753 754 4069c7-4069cb 745->754 755 406a37-406a3b 745->755 756 406e33-406e40 746->756 757 406c9e-406ca2 746->757 747->727 749 406c67-406c71 747->749 758 4072b6-4072c0 749->758 759 406c77-406c99 749->759 771 407292-40729c 750->771 772 406b2b-406b43 750->772 760 406b52-406b58 751->760 761 406bff-406c05 751->761 752->740 768 40692c-406939 752->768 753->716 762 4069d1-4069ea 754->762 763 407277-407281 754->763 769 406a41-406a55 755->769 770 407286-407290 755->770 756->742 767 406e8f-406e9e 756->767 764 406ca8-406cc0 757->764 765 4072aa-4072b4 757->765 758->740 759->756 760->737 773 406c63 760->773 761->773 775 406c07-406c25 761->775 776 4069ed-4069f1 762->776 763->740 764->747 765->740 767->716 768->744 774 40693f-406985 768->774 777 406a58-406a60 769->777 770->740 771->740 772->751 773->749 779 406987-40698b 774->779 780 4069ad-4069af 774->780 781 406c27-406c3b 775->781 782 406c3d-406c4f 775->782 776->754 778 4069f3-4069f9 776->778 777->753 777->755 788 406a23-406a35 778->788 789 4069fb-406a02 778->789 783 406996-4069a4 GlobalAlloc 779->783 784 40698d-406990 GlobalFree 779->784 786 4069b1-4069bb 780->786 787 4069bd-4069c5 780->787 785 406c52-406c5c 781->785 782->785 783->744 790 4069aa 783->790 784->783 785->761 791 406c5e 785->791 786->786 786->787 787->776 788->777 792 406a04-406a07 GlobalFree 789->792 793 406a0d-406a1d GlobalAlloc 789->793 790->780 795 406be4-406bfc 791->795 796 40729e-4072a8 791->796 792->793 793->744 793->788 795->761 796->740
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                                                                                                                                                                            • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                                                                                                                                                                                                                            Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(75923410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 0040670A
                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406716
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                            • String ID: C:\
                                                                                                                                                                                                                            • API String ID: 2295610775-3404278061
                                                                                                                                                                                                                            • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                                                                                                                                                                            • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                                                                                                                                                                                                                            Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 155 403bee-403c17 call 403e33 call 405e08 145->155 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->155 151->150 160 403c1d-403c22 155->160 161 403c9e-403ca6 call 405e08 155->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 169 403c4a-403c4c 162->169 171 403d5a-403d62 call 40140b 166->171 172 403cdb-403d0b RegisterClassA 166->172 167->166 173 403c5d-403c69 lstrlenA 169->173 174 403c4e-403c5b call 405d45 169->174 185 403d64-403d67 171->185 186 403d6c-403d77 call 403e33 171->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 172->175 176 403e29 172->176 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->171 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 203 403e22-403e24 call 40140b 195->203 204 403e0a-403e10 195->204 201 403da3-403db5 GetClassInfoA 196->201 202 403d99-403d9e call 406726 196->202 207 403db7-403dc7 GetClassInfoA RegisterClassA 201->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 201->208 202->201 203->176 204->185 209 403e16-403e1d call 40140b 204->209 207->208 208->179 209->185
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                                                                                                                                                                              • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000009,0000000B), ref: 00403BE9
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,?,?,C:\Windows\wininit.ini,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410), ref: 00403C5E
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(C:\Windows\wininit.ini,?,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000009,0000000B), ref: 00403C7C
                                                                                                                                                                                                                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                                                                                                                                                                                                                              • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                                                                                                                                                                            • RegisterClassA.USER32(00423EE0), ref: 00403D02
                                                                                                                                                                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                                                                                                                                                                                                                            • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                                                                                                                                                                                                                            • ShowWindow.USER32(00000005,00000000,?,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000009,0000000B), ref: 00403D85
                                                                                                                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                                                                                                                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                                                                                                                                                                                                                            • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                                                                                                                                                                                                                            • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\4CC4.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                                                                                                                                                                                                                            • API String ID: 1975747703-2081377918
                                                                                                                                                                                                                            • Opcode ID: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                                                                                                                                                                                            • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                                                                                                                                                                                                                            Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 275 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 278 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 275->278 279 402fac-402fb1 275->279 287 402fea 278->287 288 4030cf-4030dd call 402ebd 278->288 280 4031f6-4031fa 279->280 290 402fef-403006 287->290 295 4030e3-4030e6 288->295 296 4031ae-4031b3 288->296 292 403008 290->292 293 40300a-403013 call 40346e 290->293 292->293 300 403019-403020 293->300 301 40316a-403172 call 402ebd 293->301 298 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 295->298 299 4030e8-403100 call 403484 call 40346e 295->299 296->280 326 403160-403165 298->326 327 403174-4031a4 call 403484 call 4031fd 298->327 299->296 321 403106-40310c 299->321 305 403022-403036 call 405ed6 300->305 306 40309c-4030a0 300->306 301->296 311 4030aa-4030b0 305->311 324 403038-40303f 305->324 310 4030a2-4030a9 call 402ebd 306->310 306->311 310->311 317 4030b2-4030bc call 40684b 311->317 318 4030bf-4030c7 311->318 317->318 318->290 325 4030cd 318->325 321->296 321->298 324->311 329 403041-403048 324->329 325->288 326->280 335 4031a9-4031ac 327->335 329->311 331 40304a-403051 329->331 331->311 334 403053-40305a 331->334 334->311 336 40305c-40307c 334->336 335->296 337 4031b5-4031c6 335->337 336->296 338 403082-403086 336->338 339 4031c8 337->339 340 4031ce-4031d3 337->340 341 403088-40308c 338->341 342 40308e-403096 338->342 339->340 343 4031d4-4031da 340->343 341->325 341->342 342->311 344 403098-40309a 342->344 343->343 345 4031dc-4031f4 call 405ed6 343->345 344->311 345->280
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402F70
                                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\4CC4.exe,00000400), ref: 00402F8C
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\4CC4.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\4CC4.exe,C:\Users\user\AppData\Local\Temp\4CC4.exe,80000000,00000003), ref: 00402FD5
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • Null, xrefs: 00403053
                                                                                                                                                                                                                            • Inst, xrefs: 00403041
                                                                                                                                                                                                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                                                                                                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\4CC4.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\4CC4.exe, xrefs: 00402F65
                                                                                                                                                                                                                            • Error launching installer, xrefs: 00402FAC
                                                                                                                                                                                                                            • soft, xrefs: 0040304A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\4CC4.exe$C:\Users\user\AppData\Local\Temp\4CC4.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                                                            • API String ID: 2803837635-3550413776
                                                                                                                                                                                                                            • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                                                                                                                                                                            • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                                                                                                                                                                                                                            Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 348 405ff1-406015 349 406017-40602f call 405f1b CloseHandle GetShortPathNameA 348->349 350 40603d-40604c GetShortPathNameA 348->350 353 40615c-406160 349->353 357 406035-406037 349->357 352 406052-406054 350->352 350->353 352->353 355 40605a-406098 wsprintfA call 40641b call 405f1b 352->355 355->353 361 40609e-4060ba GetFileSize GlobalAlloc 355->361 357->350 357->353 362 4060c0-4060ca call 405f93 361->362 363 406155-406156 CloseHandle 361->363 362->363 366 4060d0-4060dd call 405e80 362->366 363->353 369 4060f3-406105 call 405e80 366->369 370 4060df-4060f1 lstrcpyA 366->370 376 406124 369->376 377 406107-40610d 369->377 371 406128 370->371 373 40612a-40614f call 405ed6 SetFilePointer call 405fc2 GlobalFree 371->373 373->363 376->371 378 406115-406117 377->378 380 406119-406122 378->380 381 40610f-406114 378->381 380->373 381->378
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                                                                                                                                                                            • GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                                                                                                                                                                                                                              • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                                                                                                                                                                              • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                                                                                                                                                                            • GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00406066
                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                                                                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\4CC4.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                            • String ID: %s=%s$C:\Windows\wininit.ini$NUL$NUL=C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\$[Rename]
                                                                                                                                                                                                                            • API String ID: 2171350718-232991687
                                                                                                                                                                                                                            • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                                                                                                                                                                            • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                                                                                                                                                                                                                            Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 384 40641b-406426 385 406428-406437 384->385 386 406439-40644f 384->386 385->386 387 406643-406647 386->387 388 406455-406460 386->388 390 406472-40647c 387->390 391 40664d-406657 387->391 388->387 389 406466-40646d 388->389 389->387 390->391 392 406482-406489 390->392 393 406662-406663 391->393 394 406659-40665d call 406388 391->394 395 406636 392->395 396 40648f-4064c3 392->396 394->393 398 406640-406642 395->398 399 406638-40663e 395->399 400 4065e3-4065e6 396->400 401 4064c9-4064d3 396->401 398->387 399->387 404 406616-406619 400->404 405 4065e8-4065eb 400->405 402 4064f0 401->402 403 4064d5-4064de 401->403 411 4064f7-4064fe 402->411 403->402 408 4064e0-4064e3 403->408 406 406627-406634 lstrlenA 404->406 407 40661b-406622 call 40641b 404->407 409 4065fb-406607 call 406388 405->409 410 4065ed-4065f9 call 4062e6 405->410 406->387 407->406 408->402 413 4064e5-4064e8 408->413 422 40660c-406612 409->422 410->422 415 406500-406502 411->415 416 406503-406505 411->416 413->402 418 4064ea-4064ee 413->418 415->416 420 406507-40652a call 40626f 416->420 421 40653e-406541 416->421 418->411 432 406530-406539 call 40641b 420->432 433 4065ca-4065ce 420->433 425 406551-406554 421->425 426 406543-40654f GetSystemDirectoryA 421->426 422->406 424 406614 422->424 428 4065db-4065e1 call 406666 424->428 430 4065c1-4065c3 425->430 431 406556-406564 GetWindowsDirectoryA 425->431 429 4065c5-4065c8 426->429 428->406 429->428 429->433 430->429 434 406566-406570 430->434 431->430 432->429 433->428 437 4065d0-4065d6 lstrcatA 433->437 439 406572-406575 434->439 440 40658a-4065a0 SHGetSpecialFolderLocation 434->440 437->428 439->440 442 406577-40657e 439->442 443 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 440->443 444 4065be 440->444 445 406586-406588 442->445 443->429 443->444 444->430 445->429 445->440
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400), ref: 00406549
                                                                                                                                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                                                                                                                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                                                                                                                                                                                                                            • SHGetPathFromIDListA.SHELL32(00000000,C:\Windows\wininit.ini), ref: 004065A6
                                                                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Windows\wininit.ini,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                            • String ID: C:\Windows\wininit.ini$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                            • API String ID: 717251189-1428620962
                                                                                                                                                                                                                            • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                                                                                                                                                                            • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                                                                                                                                                                                                                            Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 00401798
                                                                                                                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 004017C2
                                                                                                                                                                                                                              • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall\update
                                                                                                                                                                                                                            • API String ID: 1941528284-1467176625
                                                                                                                                                                                                                            • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                                                                                                                                                                            • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                                                                                                                                                                                                                            Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 582 406726-406746 GetSystemDirectoryA 583 406748 582->583 584 40674a-40674c 582->584 583->584 585 40675c-40675e 584->585 586 40674e-406756 584->586 588 40675f-406791 wsprintfA LoadLibraryExA 585->588 586->585 587 406758-40675a 586->587 587->588
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00406776
                                                                                                                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                            • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                                                            • API String ID: 2200240437-4240819195
                                                                                                                                                                                                                            • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                                                                                                                                                                            • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                                                                                                                                                                                                                            Function 004068D9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 589 4068d9-4068fc 590 406906-406909 589->590 591 4068fe-406901 589->591 593 40690c-406915 590->593 592 407326-40732a 591->592 594 407323 593->594 595 40691b 593->595 594->592 596 406922-406926 595->596 597 406a62-407109 595->597 598 4069c7-4069cb 595->598 599 406a37-406a3b 595->599 603 40692c-406939 596->603 604 40730e-407321 596->604 608 407123-407139 597->608 609 40710b-407121 597->609 601 4069d1-4069ea 598->601 602 407277-407281 598->602 605 406a41-406a55 599->605 606 407286-407290 599->606 607 4069ed-4069f1 601->607 602->604 603->594 610 40693f-406985 603->610 604->592 611 406a58-406a60 605->611 606->604 607->598 613 4069f3-4069f9 607->613 612 40713c-407143 608->612 609->612 614 406987-40698b 610->614 615 4069ad-4069af 610->615 611->597 611->599 620 407145-407149 612->620 621 40716a-407176 612->621 618 406a23-406a35 613->618 619 4069fb-406a02 613->619 622 406996-4069a4 GlobalAlloc 614->622 623 40698d-406990 GlobalFree 614->623 616 4069b1-4069bb 615->616 617 4069bd-4069c5 615->617 616->616 616->617 617->607 618->611 625 406a04-406a07 GlobalFree 619->625 626 406a0d-406a1d GlobalAlloc 619->626 627 4072f8-407302 620->627 628 40714f-407167 620->628 621->593 622->594 624 4069aa 622->624 623->622 624->615 625->626 626->594 626->618 627->604 628->621
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 004068E3
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 0-292220189
                                                                                                                                                                                                                            • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                                                                                                                                                                            • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                                                                                                                                                                                                                            Function 00403305 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 630 403305-40332d GetTickCount 631 403333-40335e call 403484 SetFilePointer 630->631 632 40345d-403465 call 402ebd 630->632 638 403363-403375 631->638 637 403467-40346b 632->637 639 403377 638->639 640 403379-403387 call 40346e 638->640 639->640 643 40338d-403399 640->643 644 40344f-403452 640->644 645 40339f-4033a5 643->645 644->637 646 4033d0-4033ec call 4068d9 645->646 647 4033a7-4033ad 645->647 653 403458 646->653 654 4033ee-4033f6 646->654 647->646 648 4033af-4033cf call 402ebd 647->648 648->646 655 40345a-40345b 653->655 656 4033f8-403400 call 405fc2 654->656 657 403419-40341f 654->657 655->637 661 403405-403407 656->661 657->653 659 403421-403423 657->659 659->653 660 403425-403438 659->660 660->638 662 40343e-40344d SetFilePointer 660->662 663 403454-403456 661->663 664 403409-403415 661->664 662->632 663->655 664->645 665 403417 664->665 665->660
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00403319
                                                                                                                                                                                                                              • Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403379, 0040337F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer$CountTick
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 1092082344-292220189
                                                                                                                                                                                                                            • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                                                                                                                                                                            • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                                                                                                                                                                                                                            Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 666 405f4a-405f54 667 405f55-405f80 GetTickCount GetTempFileNameA 666->667 668 405f82-405f84 667->668 669 405f8f-405f91 667->669 668->667 671 405f86 668->671 670 405f89-405f8c 669->670 671->670
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00405F5E
                                                                                                                                                                                                                            • GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                            • API String ID: 1716503409-44229769
                                                                                                                                                                                                                            • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                                                                                                                                                                            • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                                                                                                                                                                                                                            Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 672 4020a5-4020b1 673 4020b7-4020cd call 402c39 * 2 672->673 674 40216c-40216e 672->674 684 4020dc-4020ea LoadLibraryExA 673->684 685 4020cf-4020da GetModuleHandleA 673->685 676 4022e5-4022ea call 401423 674->676 681 402ac5-402ad4 676->681 687 4020ec-4020f9 GetProcAddress 684->687 688 402165-402167 684->688 685->684 685->687 689 402138-40213d call 4054a9 687->689 690 4020fb-402101 687->690 688->676 694 402142-402145 689->694 692 402103-40210f call 401423 690->692 693 40211a-402136 690->693 692->694 703 402111-402118 692->703 693->694 694->681 697 40214b-402153 call 403b0e 694->697 697->681 702 402159-402160 FreeLibrary 697->702 702->681 703->694
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2987980305-0
                                                                                                                                                                                                                            • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                                                                                                                                                                            • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                                                                                                                                                                                                                            Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 704 403a7c-403a8b 705 403a97-403a9f 704->705 706 403a8d-403a90 CloseHandle 704->706 707 403aa1-403aa4 CloseHandle 705->707 708 403aab-403ab7 call 403ad9 call 405b4a 705->708 706->705 707->708 712 403abc-403abd 708->712
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\, xrefs: 00403AB2
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\
                                                                                                                                                                                                                            • API String ID: 2962429428-2250045436
                                                                                                                                                                                                                            • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                                                                                                                                                                            • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                                                                                                                                                                                                                            Function 004031FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403277, 0040328E, 004032A4
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 973152223-292220189
                                                                                                                                                                                                                            • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                                                                                                                                                                            • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                                                                                                                                                                                                                            Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405DC1
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                                                                                                                                                              • Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                                                                                                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,000000F0), ref: 0040163C
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401631
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                                                                                                                                                                                            • API String ID: 1892508949-2725132131
                                                                                                                                                                                                                            • Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                                                                                                                                                                            • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                                                                                                                                                                                                                            Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405DC1
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405E5B
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 00405E6B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                            • String ID: C:\
                                                                                                                                                                                                                            • API String ID: 3248276644-3404278061
                                                                                                                                                                                                                            • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                                                                                                                                                                            • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                                                                                                                                                                                                                            Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                                                                                                                                                                            • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                                                                                                                                                                            Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                                                                                                                                                                            • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                                                                                                                                                                            Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                                                                                                                                                                            • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                                                                                                                                                                                                                            Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                                                                                                                                                                            • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                                                                                                                                                                                                                            Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                                                                                                                                                                            • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                                                                                                                                                                                                                            Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                                                                                                                                                                            • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                                                                                                                                                                                                                            Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                                                                                                                                                                                                                            • RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseValuelstrlen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2655323295-0
                                                                                                                                                                                                                            • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                                                                                                                                                                            • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                                                                                                                                                                                                                            Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                                                                                                                                                                                            • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Enum$CloseValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 397863658-0
                                                                                                                                                                                                                            • Opcode ID: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                                                                                                                                                                                            • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                                                                                                                                                                                                                            Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                                                                                                                                                                              • Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                                                                                                                                                                                            • RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
                                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1655745494-0
                                                                                                                                                                                                                            • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                                                                                                                                                                            • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                                                                                                                                                                                                                            Function 00406809 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040682F
                                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2567322000-0
                                                                                                                                                                                                                            • Opcode ID: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                                                                                                                                                                                            • Instruction ID: abee92fc01d0549169be82d64ea8a54f8020188e09ec540bf7ef67874f21f581
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9DE0D832600118FBDB00AB54DD05E9E7F6EEB44704F114033F601B6190C7B59E21DB98
                                                                                                                                                                                                                            Function 00405F93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,0040B8F8,00403481,00000009,00000009,00403385,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F), ref: 00405FA7
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405F96
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 2738559852-292220189
                                                                                                                                                                                                                            • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                                                                                                                                                                            • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                                                                                                                                                                                                                            Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3356406503-0
                                                                                                                                                                                                                            • Opcode ID: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                                                                                                                                                                                            • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                                                                                                                                                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                                                                            • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                                                                                                                                                                            • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                                                                                                                                                                                                                            Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405A57
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3712363035-0
                                                                                                                                                                                                                            • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                                                                                                                                                                            • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                                                                                                                                                                                                                            Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                                                                                                                                                                              • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                                                                                                                                                                              • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                                                                                                                                                                                                                              • Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2547128583-0
                                                                                                                                                                                                                            • Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                                                                                                                                                                                            • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                                                                                                                                                                                                                            Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\4CC4.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                                                                                                            • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                                                                                                                                                                            • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                                                                                                                                                                                            Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                                            • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                                                                                                                                            • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                                                                                                                                                                                                                            Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                                                                            • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                                                                                                                                                                            • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                                                                                                                                                                                                                            Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
                                                                                                                                                                                                                            • GlobalFree.KERNELBASE(10003020), ref: 10001464
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3971356135.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971316569.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971399582.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971440463.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeGloballstrcpyn
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1459762280-0
                                                                                                                                                                                                                            • Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                                                                                                                                                                                            • Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22
                                                                                                                                                                                                                            Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                            • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                                            • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                                                                                                                                                                                                                            Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,004114F7,0040B8F8,00403405,0040B8F8,004114F7,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                                                                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                            • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                                                                                                                                                                                                                            Function 0040620E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420530,?,?,0040629C,00420530,?,?,?,00000002,C:\Windows\wininit.ini), ref: 00406232
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Open
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                                                                            • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                                            • Instruction ID: e678259d492eddc69303d735af6c58fa5eb03465f078c5ba6a1a088e01eebb4c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64D0123244020DBBDF116F90ED01FAB3B1DEB18350F014826FE06A80A1D775D530A725
                                                                                                                                                                                                                            Function 00406161 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040616B
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: wsprintfA.USER32 ref: 00406066
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsm4B00.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 299535525-0
                                                                                                                                                                                                                            • Opcode ID: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                                                                                                                                                                                            • Instruction ID: 0556bd0dd0e376f9d1944fcc72f0db357db156cd0d89a75f2f72d3c973fa690a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0D0C731108602FFDB111B10ED0591B7BA5FF90355F11943EF599940B1DB368461DF09
                                                                                                                                                                                                                            Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                                                                            • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                                                                                                                                            • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                                                                                                                                                                            Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                              • Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                                                                                                                                                                              • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                                                                                                                                                                                              • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                                                                                                                                                                              • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                                                                                                                                                                              • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2972824698-0
                                                                                                                                                                                                                            • Opcode ID: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                                                                                                                                                                                            • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405646
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405655
                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00405692
                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405699
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405735
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405756
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405664
                                                                                                                                                                                                                              • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004057BC
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004057DF
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004057E6
                                                                                                                                                                                                                            • ShowWindow.USER32(00000008), ref: 0040582C
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                                                                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 00405871
                                                                                                                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                                                                                                                                                                                                                            • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                                                                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                                                                                                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 0040590B
                                                                                                                                                                                                                            • EmptyClipboard.USER32 ref: 00405911
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405924
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                                                                                                                                                                                                                            • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 00405962
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                            • String ID: PB
                                                                                                                                                                                                                            • API String ID: 590372296-3196168531
                                                                                                                                                                                                                            • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                                                                                                                                                                            • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                                                                                                                                                                                                                            Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                                                                                                                                                                                                                            • SetWindowTextA.USER32(00000000,?), ref: 00404910
                                                                                                                                                                                                                            • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                                                                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(C:\Windows\wininit.ini,00420D50), ref: 004049FE
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(?,C:\Windows\wininit.ini), ref: 00404A0A
                                                                                                                                                                                                                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                                                                                                                                                                                                                              • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                                                                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                                                                                                                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                                                                                                                                                                                                                              • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                                                                                                                                                                              • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                                                                                                                                                                                                                              • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                            • String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$PB
                                                                                                                                                                                                                            • API String ID: 2624150263-292181263
                                                                                                                                                                                                                            • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                                                                                                                                                                            • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                                                                                                                                                                                                                            Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00402238
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                                                                                                                                                                                            • API String ID: 123533781-2725132131
                                                                                                                                                                                                                            • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                                                                                                                                                                            • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                                                                                                                                                                                                                            Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                                                                                                            • Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                                                                                                                                                                                            • Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A
                                                                                                                                                                                                                            Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                                                                                                                                                                                                                            • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                                                                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                                                                                                                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000110), ref: 00404F0B
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                                                                                                                                                                                                                              • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 0040506C
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                                                                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0040524A
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                                                                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004053F4
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00405406
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                            • String ID: $M$N
                                                                                                                                                                                                                            • API String ID: 2564846305-813528018
                                                                                                                                                                                                                            • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                                                                                                                                                                            • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                                                                                                                                                                                                                            Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                                                                                                                                                                                                                            • ShowWindow.USER32(?), ref: 00403F67
                                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00403F92
                                                                                                                                                                                                                            • DestroyWindow.USER32 ref: 00403FA6
                                                                                                                                                                                                                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403FDE
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                                                                                                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004040A4
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 004040AE
                                                                                                                                                                                                                            • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                                                                                                                                                                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 004041BF
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 004041E0
                                                                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 004041F2
                                                                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 0040420D
                                                                                                                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                                                                                                                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 0040422A
                                                                                                                                                                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                                                                                                                                                                                                                            • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                                                                                                                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 004043C2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                                            • String ID: PB
                                                                                                                                                                                                                            • API String ID: 1860320154-3196168531
                                                                                                                                                                                                                            • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                                                                                                                                                                            • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                                                                                                                                                                                                                            Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                                                                                                                                                                                                                            • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                                                                                                                                                                                                                            • GetSysColor.USER32(?), ref: 0040463E
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0040465F
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000), ref: 004046E8
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404713
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0040476B
                                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00404784
                                                                                                                                                                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                                                                                                                                                                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                            • String ID: N$6B
                                                                                                                                                                                                                            • API String ID: 3103080414-649610290
                                                                                                                                                                                                                            • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                                                                                                                                                                            • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                                                                                                                                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                            • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                            • String ID: F
                                                                                                                                                                                                                            • API String ID: 941294808-1304234792
                                                                                                                                                                                                                            • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                                                                                                                                                                            • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                                                                                                                                                                                                                            Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                            • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                            • String ID: 4/@
                                                                                                                                                                                                                            • API String ID: 2531174081-3101945251
                                                                                                                                                                                                                            • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                                                                                                                                                                            • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                                                                                                                                                                                                                            Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                                                                                                                                                                            • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                                                                                                                                                                            • CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                                                                                                                                                                            • CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\4CC4.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\4CC4.exe, xrefs: 00406666
                                                                                                                                                                                                                            • *?|<>/":, xrefs: 004066AE
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                                                                                                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\4CC4.exe
                                                                                                                                                                                                                            • API String ID: 589700163-256841208
                                                                                                                                                                                                                            • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                                                                                                                                                                            • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                                                                                                                                                                                                                            Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DestroyWindow.USER32(?,00000000), ref: 00402ED5
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402EF3
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00402F21
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                                                                                                                                                                                              • Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                            • String ID: ... %d%%$#Vh%.@
                                                                                                                                                                                                                            • API String ID: 722711167-1706192003
                                                                                                                                                                                                                            • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                                                                                                                                                                            • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                                                                                                                                                                                                                            Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                                                                                                                                                                                                                            • GetSysColor.USER32(00000000), ref: 004044C7
                                                                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004044D3
                                                                                                                                                                                                                            • SetBkMode.GDI32(?,?), ref: 004044DF
                                                                                                                                                                                                                            • GetSysColor.USER32(?), ref: 004044F2
                                                                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00404502
                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0040451C
                                                                                                                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404526
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2320649405-0
                                                                                                                                                                                                                            • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                                                                                                                                                                            • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                                                                                                                                                                                                                            Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                                                                                                                                                                                                                            • GetMessagePos.USER32 ref: 00404D7B
                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404D95
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                            • String ID: f
                                                                                                                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                                                                                                                            • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                                                                                                                                            • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                                                                                                                                                                                                                            Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004059C6
                                                                                                                                                                                                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004059E5
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                            • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                            • API String ID: 3449924974-3700438604
                                                                                                                                                                                                                            • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                                                                                                                                                                            • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                                                                                                                                                                                                                            Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00402E74
                                                                                                                                                                                                                            • SetWindowTextA.USER32(?,?), ref: 00402E84
                                                                                                                                                                                                                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                            • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                                                                                                                                                                            • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                                                                                                                                                                                                                            Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 004028A4
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 004028B7
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2667972263-0
                                                                                                                                                                                                                            • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                                                                                                                                                                            • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                                                                                                                                                                                                                            Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
                                                                                                                                                                                                                            • EnumWindows.USER32(10001007,?), ref: 10001074
                                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 100010C5
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3971356135.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971316569.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971399582.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3971440463.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3465249596-0
                                                                                                                                                                                                                            • Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                                                                                                                                                                                            • Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                                                                                                                                                                                                                            Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00404CF4
                                                                                                                                                                                                                            • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                            • String ID: %u.%u%s%s$PB
                                                                                                                                                                                                                            • API String ID: 3540041739-838025833
                                                                                                                                                                                                                            • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                                                                                                                                                                            • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                                                                                                                                                                                                                            Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                                                                                                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                                                                                                                                                                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1354259210-0
                                                                                                                                                                                                                            • Opcode ID: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                                                                                                                                                                                            • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                                                                                                                                                                                                                            Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00401DCC
                                                                                                                                                                                                                            • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E20
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1849352358-0
                                                                                                                                                                                                                            • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                                                                                                                                                                            • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                                                                                                                                                                                                                            Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDC.USER32(?), ref: 00401E38
                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                                                                                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                                                                                                                                                                                            • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3808545654-0
                                                                                                                                                                                                                            • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                                                                                                                                                                            • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                                                                                                                                                                                                                            Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                                                                                                                            • String ID: !
                                                                                                                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                            • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                                                                                                                                                                            • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                                                                                                                                                                                                            Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                                                                                                                                                                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                            • API String ID: 2659869361-823278215
                                                                                                                                                                                                                            • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                                                                                                                                                                            • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                                                                                                                                                                                                                            Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\4CC4.exe), ref: 00405DC1
                                                                                                                                                                                                                            • CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                            • CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNext
                                                                                                                                                                                                                            • String ID: C:\
                                                                                                                                                                                                                            • API String ID: 3213498283-3404278061
                                                                                                                                                                                                                            • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                                                                                                                                                                            • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                                                                                                                                                                                                                            Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 0040544C
                                                                                                                                                                                                                            • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                                                                                                                                                                                                                              • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                            • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                                                                                                                                                                            • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                                                                                                                                                                                                                            Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Windows\wininit.ini,00420530,?,?,?,00000002,C:\Windows\wininit.ini,?,00406527,80000002), ref: 004062B5
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Windows\wininit.ini,C:\Windows\wininit.ini,C:\Windows\wininit.ini,?,00420530), ref: 004062C0
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                                                                            • String ID: C:\Windows\wininit.ini
                                                                                                                                                                                                                            • API String ID: 3356406503-2725141966
                                                                                                                                                                                                                            • Opcode ID: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                                                                                                                                                                                            • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                                                                                                                                                                                                                            Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\4CC4.exe,C:\Users\user\AppData\Local\Temp\4CC4.exe,80000000,00000003), ref: 00405D67
                                                                                                                                                                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\4CC4.exe,C:\Users\user\AppData\Local\Temp\4CC4.exe,80000000,00000003), ref: 00405D75
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharPrevlstrlen
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp
                                                                                                                                                                                                                            • API String ID: 2709904686-1943935188
                                                                                                                                                                                                                            • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                                                                                                                                                                            • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                                                                                                                                                                                                                            Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                                                                                                                                                                                                                            • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3969169818.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969103964.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969231444.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969284133.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3969477796.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_4CC4.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 190613189-0
                                                                                                                                                                                                                            • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                                                                                                                                                                            • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:1.2%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:21.8%
                                                                                                                                                                                                                            Signature Coverage:3.3%
                                                                                                                                                                                                                            Total number of Nodes:1544
                                                                                                                                                                                                                            Total number of Limit Nodes:79
                                                                                                                                                                                                                            execution_graph 145373 bd5ed9 145385 bd5ee2 145373->145385 145374 bd61f5 LoadLibraryA 145375 bd6205 145374->145375 145389 bd621e 145374->145389 145377 bd618c 145794 c34870 15 API calls 145377->145794 145378 bd61b6 145795 c34870 15 API calls 145378->145795 145379 bd60de 145379->145377 145379->145378 145383 bd61ae 145383->145374 145384 bd680d 145386 bd6854 GetProcAddress 145384->145386 145385->145379 145385->145383 145792 bd1d90 15 API calls 145385->145792 145793 bd1de0 20 API calls 145385->145793 145417 bd6877 145386->145417 145388 bd642c 145390 bd64d9 145388->145390 145391 bd6503 145388->145391 145389->145388 145392 bd64fb 145389->145392 145796 bd1d90 15 API calls 145389->145796 145797 bd1de0 20 API calls 145389->145797 145798 c34870 15 API calls 145390->145798 145799 c34870 15 API calls 145391->145799 145392->145384 145395 bd673e 145392->145395 145800 bd1d90 15 API calls 145392->145800 145801 bd1de0 20 API calls 145392->145801 145398 bd67eb 145395->145398 145399 bd6815 145395->145399 145802 c34870 15 API calls 145398->145802 145803 c34870 15 API calls 145399->145803 145404 bd6b4b 145807 c34870 15 API calls 145404->145807 145405 bd6b21 145806 c34870 15 API calls 145405->145806 145406 bd6a73 145406->145404 145406->145405 145409 bd6d86 145413 bd6e5e 145409->145413 145414 bd6e34 145409->145414 145412 bd6b43 145412->145409 145431 bd6e56 145412->145431 145808 bd1d90 15 API calls 145412->145808 145809 bd1de0 20 API calls 145412->145809 145811 c34870 15 API calls 145413->145811 145810 c34870 15 API calls 145414->145810 145417->145406 145417->145412 145804 bd1d90 15 API calls 145417->145804 145805 bd1de0 20 API calls 145417->145805 145420 bd7147 145814 c34870 15 API calls 145420->145814 145421 bd7171 145815 c34870 15 API calls 145421->145815 145422 bd7099 145422->145420 145422->145421 145427 bd73ac 145428 bd745a 145427->145428 145429 bd7484 145427->145429 145818 c34870 15 API calls 145428->145818 145819 c34870 15 API calls 145429->145819 145431->145422 145438 bd7169 145431->145438 145812 bd1d90 15 API calls 145431->145812 145813 bd1de0 20 API calls 145431->145813 145435 bd776d 145822 c34870 15 API calls 145435->145822 145436 bd7797 145823 c34870 15 API calls 145436->145823 145437 bd76bf 145437->145435 145437->145436 145438->145427 145449 bd747c 145438->145449 145816 bd1d90 15 API calls 145438->145816 145817 bd1de0 20 API calls 145438->145817 145442 bd79d2 145444 bd7aaa 145442->145444 145445 bd7a80 145442->145445 145827 c34870 15 API calls 145444->145827 145826 c34870 15 API calls 145445->145826 145447 bd7ce5 145452 bd7dbd 145447->145452 145453 bd7d93 145447->145453 145449->145437 145458 bd778f 145449->145458 145820 bd1d90 15 API calls 145449->145820 145821 bd1de0 20 API calls 145449->145821 145831 c34870 15 API calls 145452->145831 145830 c34870 15 API calls 145453->145830 145455 bd86ee 145461 bd8735 GetProcAddress 145455->145461 145456 bd7ff8 145462 bd80a6 145456->145462 145463 bd80d0 145456->145463 145458->145442 145465 bd7aa2 145458->145465 145824 bd1d90 15 API calls 145458->145824 145825 bd1de0 20 API calls 145458->145825 145496 bd8758 145461->145496 145834 c34870 15 API calls 145462->145834 145835 c34870 15 API calls 145463->145835 145465->145447 145472 bd7db5 145465->145472 145828 bd1d90 15 API calls 145465->145828 145829 bd1de0 20 API calls 145465->145829 145469 bd830b 145470 bd83b9 145469->145470 145471 bd83e3 145469->145471 145838 c34870 15 API calls 145470->145838 145839 c34870 15 API calls 145471->145839 145472->145456 145481 bd80c8 145472->145481 145832 bd1d90 15 API calls 145472->145832 145833 bd1de0 20 API calls 145472->145833 145476 bd861e 145478 bd86cc 145476->145478 145479 bd86f6 145476->145479 145842 c34870 15 API calls 145478->145842 145843 c34870 15 API calls 145479->145843 145481->145469 145484 bd83db 145481->145484 145836 bd1d90 15 API calls 145481->145836 145837 bd1de0 20 API calls 145481->145837 145484->145455 145484->145476 145840 bd1d90 15 API calls 145484->145840 145841 bd1de0 20 API calls 145484->145841 145486 bd8954 145487 bd8a2c 145486->145487 145488 bd8a02 145486->145488 145847 c34870 15 API calls 145487->145847 145846 c34870 15 API calls 145488->145846 145493 bd8d3f 145851 c34870 15 API calls 145493->145851 145494 bd8d15 145850 c34870 15 API calls 145494->145850 145495 bd8c67 145495->145493 145495->145494 145496->145486 145505 bd8a24 145496->145505 145844 bd1d90 15 API calls 145496->145844 145845 bd1de0 20 API calls 145496->145845 145501 bd8f7a 145502 bd9028 145501->145502 145503 bd9052 145501->145503 145854 c34870 15 API calls 145502->145854 145855 c34870 15 API calls 145503->145855 145505->145495 145514 bd8d37 145505->145514 145848 bd1d90 15 API calls 145505->145848 145849 bd1de0 20 API calls 145505->145849 145509 bd99a1 145512 bd99e8 GetProcAddress 145509->145512 145510 bd933b 145858 c34870 15 API calls 145510->145858 145511 bd9365 145859 c34870 15 API calls 145511->145859 145544 bd9a14 145512->145544 145513 bd928d 145513->145510 145513->145511 145514->145501 145524 bd904a 145514->145524 145852 bd1d90 15 API calls 145514->145852 145853 bd1de0 20 API calls 145514->145853 145518 bd95a0 145520 bd964e 145518->145520 145521 bd9678 145518->145521 145862 c34870 15 API calls 145520->145862 145863 c34870 15 API calls 145521->145863 145524->145513 145531 bd935d 145524->145531 145856 bd1d90 15 API calls 145524->145856 145857 bd1de0 20 API calls 145524->145857 145527 bd997f 145866 c34870 15 API calls 145527->145866 145528 bd99a9 145867 c34870 15 API calls 145528->145867 145529 bd98cb 145529->145527 145529->145528 145531->145518 145534 bd9670 145531->145534 145860 bd1d90 15 API calls 145531->145860 145861 bd1de0 20 API calls 145531->145861 145534->145509 145534->145529 145864 bd1d90 15 API calls 145534->145864 145865 bd1de0 20 API calls 145534->145865 145536 bd9c1f 145537 bd9cfc 145536->145537 145538 bd9cd2 145536->145538 145871 c34870 15 API calls 145537->145871 145870 c34870 15 API calls 145538->145870 145543 bd9f4f 145545 bda02c 145543->145545 145546 bda002 145543->145546 145544->145536 145557 bd9cf4 145544->145557 145868 bd1d90 15 API calls 145544->145868 145869 bd1de0 20 API calls 145544->145869 145875 c34870 15 API calls 145545->145875 145874 c34870 15 API calls 145546->145874 145550 bda27f 145552 bda35c 145550->145552 145553 bda332 145550->145553 145879 c34870 15 API calls 145552->145879 145878 c34870 15 API calls 145553->145878 145557->145543 145565 bda024 145557->145565 145872 bd1d90 15 API calls 145557->145872 145873 bd1de0 20 API calls 145557->145873 145559 bda5af 145560 bda68c 145559->145560 145561 bda662 145559->145561 145883 c34870 15 API calls 145560->145883 145882 c34870 15 API calls 145561->145882 145563 bda8df 145568 bda9bc 145563->145568 145569 bda992 145563->145569 145565->145550 145572 bda354 145565->145572 145876 bd1d90 15 API calls 145565->145876 145877 bd1de0 20 API calls 145565->145877 145887 c34870 15 API calls 145568->145887 145886 c34870 15 API calls 145569->145886 145570 bdac0f 145576 bdacec 145570->145576 145577 bdacc2 145570->145577 145572->145559 145578 bda684 145572->145578 145880 bd1d90 15 API calls 145572->145880 145881 bd1de0 20 API calls 145572->145881 145891 c34870 15 API calls 145576->145891 145890 c34870 15 API calls 145577->145890 145578->145563 145592 bda9b4 145578->145592 145884 bd1d90 15 API calls 145578->145884 145885 bd1de0 20 API calls 145578->145885 145582 bdb674 145587 bdb6bb GetProcAddress 145582->145587 145583 bdaf3f 145585 bdb01c 145583->145585 145586 bdaff2 145583->145586 145895 c34870 15 API calls 145585->145895 145894 c34870 15 API calls 145586->145894 145620 bdb6e7 145587->145620 145592->145570 145599 bdace4 145592->145599 145888 bd1d90 15 API calls 145592->145888 145889 bd1de0 20 API calls 145592->145889 145593 bdb26f 145594 bdb34c 145593->145594 145595 bdb322 145593->145595 145899 c34870 15 API calls 145594->145899 145898 c34870 15 API calls 145595->145898 145597 bdb59f 145602 bdb67c 145597->145602 145603 bdb652 145597->145603 145599->145583 145605 bdb014 145599->145605 145892 bd1d90 15 API calls 145599->145892 145893 bd1de0 20 API calls 145599->145893 145903 c34870 15 API calls 145602->145903 145902 c34870 15 API calls 145603->145902 145605->145593 145608 bdb344 145605->145608 145896 bd1d90 15 API calls 145605->145896 145897 bd1de0 20 API calls 145605->145897 145608->145582 145608->145597 145900 bd1d90 15 API calls 145608->145900 145901 bd1de0 20 API calls 145608->145901 145610 bdb8f2 145612 bdb9a6 145610->145612 145613 bdb9d0 145610->145613 145611 bdc68c 145617 bdc6e5 FreeLibrary 145611->145617 145662 bdc708 145611->145662 145906 c34870 15 API calls 145612->145906 145907 c34870 15 API calls 145613->145907 145617->145375 145619 bdbc23 145621 bdbcd7 145619->145621 145622 bdbd01 145619->145622 145620->145610 145632 bdb9c8 145620->145632 145904 bd1d90 15 API calls 145620->145904 145905 bd1de0 20 API calls 145620->145905 145910 c34870 15 API calls 145621->145910 145911 c34870 15 API calls 145622->145911 145626 bdbf54 145628 bdc008 145626->145628 145629 bdc032 145626->145629 145914 c34870 15 API calls 145628->145914 145915 c34870 15 API calls 145629->145915 145632->145619 145641 bdbcf9 145632->145641 145908 bd1d90 15 API calls 145632->145908 145909 bd1de0 20 API calls 145632->145909 145635 bdc285 145636 bdc339 145635->145636 145637 bdc363 145635->145637 145918 c34870 15 API calls 145636->145918 145919 c34870 15 API calls 145637->145919 145639 bdc5b6 145644 bdc66a 145639->145644 145645 bdc694 145639->145645 145641->145626 145647 bdc02a 145641->145647 145912 bd1d90 15 API calls 145641->145912 145913 bd1de0 20 API calls 145641->145913 145922 c34870 15 API calls 145644->145922 145923 c34870 15 API calls 145645->145923 145647->145635 145650 bdc35b 145647->145650 145916 bd1d90 15 API calls 145647->145916 145917 bd1de0 20 API calls 145647->145917 145650->145611 145650->145639 145920 bd1d90 15 API calls 145650->145920 145921 bd1de0 20 API calls 145650->145921 145652 bdc92e 145653 bdca0b 145652->145653 145654 bdc9e1 145652->145654 145927 c34870 15 API calls 145653->145927 145926 c34870 15 API calls 145654->145926 145659 bdcd3b 145931 c34870 15 API calls 145659->145931 145660 bdcd11 145930 c34870 15 API calls 145660->145930 145661 bdcc5e 145661->145659 145661->145660 145662->145652 145673 bdca03 145662->145673 145924 bd1d90 15 API calls 145662->145924 145925 bd1de0 20 API calls 145662->145925 145667 bdcf8e 145668 bdd06b 145667->145668 145669 bdd041 145667->145669 145935 c34870 15 API calls 145668->145935 145934 c34870 15 API calls 145669->145934 145671 bdd2be 145676 bdd39b 145671->145676 145677 bdd371 145671->145677 145673->145661 145680 bdcd33 145673->145680 145928 bd1d90 15 API calls 145673->145928 145929 bd1de0 20 API calls 145673->145929 145939 c34870 15 API calls 145676->145939 145938 c34870 15 API calls 145677->145938 145680->145667 145687 bdd063 145680->145687 145932 bd1d90 15 API calls 145680->145932 145933 bd1de0 20 API calls 145680->145933 145683 bdd5ee 145684 bdd6cb 145683->145684 145685 bdd6a1 145683->145685 145943 c34870 15 API calls 145684->145943 145942 c34870 15 API calls 145685->145942 145687->145671 145690 bdd393 145687->145690 145936 bd1d90 15 API calls 145687->145936 145937 bd1de0 20 API calls 145687->145937 145690->145683 145706 bdd6c3 145690->145706 145940 bd1d90 15 API calls 145690->145940 145941 bd1de0 20 API calls 145690->145941 145692 bdd936 145693 bdd9e9 145692->145693 145694 bdda13 145692->145694 145946 c34870 15 API calls 145693->145946 145947 c34870 15 API calls 145694->145947 145698 bddc66 145700 bddd19 145698->145700 145701 bddd43 145698->145701 145950 c34870 15 API calls 145700->145950 145951 c34870 15 API calls 145701->145951 145704 bddf96 145708 bde049 145704->145708 145709 bde073 145704->145709 145706->145692 145714 bdda0b 145706->145714 145944 bd1d90 15 API calls 145706->145944 145945 bd1de0 20 API calls 145706->145945 145954 c34870 15 API calls 145708->145954 145955 c34870 15 API calls 145709->145955 145711 bde9dd 145717 bdea38 InternetOpenA 145711->145717 145712 bde2c6 145718 bde379 145712->145718 145719 bde3a3 145712->145719 145714->145698 145721 bddd3b 145714->145721 145948 bd1d90 15 API calls 145714->145948 145949 bd1de0 20 API calls 145714->145949 145752 bdea57 145717->145752 145958 c34870 15 API calls 145718->145958 145959 c34870 15 API calls 145719->145959 145721->145704 145728 bde06b 145721->145728 145952 bd1d90 15 API calls 145721->145952 145953 bd1de0 20 API calls 145721->145953 145725 bde5de 145726 bde68b 145725->145726 145727 bde6b5 145725->145727 145962 c34870 15 API calls 145726->145962 145963 c34870 15 API calls 145727->145963 145728->145712 145737 bde39b 145728->145737 145956 bd1d90 15 API calls 145728->145956 145957 bd1de0 20 API calls 145728->145957 145732 bde908 145735 bde9bb 145732->145735 145736 bde9e5 145732->145736 145734 bdf036 145741 bdf074 FreeLibrary 145734->145741 145773 bdf097 145734->145773 145966 c34870 15 API calls 145735->145966 145967 c34870 15 API calls 145736->145967 145737->145725 145742 bde6ad 145737->145742 145960 bd1d90 15 API calls 145737->145960 145961 bd1de0 20 API calls 145737->145961 145741->145375 145742->145711 145742->145732 145964 bd1d90 15 API calls 145742->145964 145965 bd1de0 20 API calls 145742->145965 145744 bdec53 145745 bded2b 145744->145745 145746 bded01 145744->145746 145971 c34870 15 API calls 145745->145971 145970 c34870 15 API calls 145746->145970 145748 bdef66 145753 bdf03e 145748->145753 145754 bdf014 145748->145754 145752->145744 145761 bded23 145752->145761 145968 bd1d90 15 API calls 145752->145968 145969 bd1de0 20 API calls 145752->145969 145975 c34870 15 API calls 145753->145975 145974 c34870 15 API calls 145754->145974 145759 bdf2a5 145763 bdf37c 145759->145763 145764 bdf352 145759->145764 145760 bdf698 std::runtime_error::runtime_error _strlen 145762 bdf6f6 InternetOpenUrlA 145760->145762 145761->145734 145761->145748 145972 bd1d90 15 API calls 145761->145972 145973 bd1de0 20 API calls 145761->145973 145767 bdf734 FreeLibrary 145762->145767 145768 bdf782 InternetReadFile 145762->145768 145979 c34870 15 API calls 145763->145979 145978 c34870 15 API calls 145764->145978 145778 bdf75f 145767->145778 145770 bdf7bb FreeLibrary 145768->145770 145771 bdf7b2 145768->145771 145786 bdf82a std::ios_base::failure::failure 145770->145786 145771->145768 145771->145770 145788 be4c60 145771->145788 145772 bdf5c9 145776 bdf676 145772->145776 145777 bdf6a0 145772->145777 145773->145759 145785 bdf374 145773->145785 145976 bd1d90 15 API calls 145773->145976 145977 bd1de0 20 API calls 145773->145977 145982 c34870 15 API calls 145776->145982 145983 c34870 15 API calls 145777->145983 145984 bd4120 39 API calls task 145778->145984 145785->145760 145785->145772 145980 bd1d90 15 API calls 145785->145980 145981 bd1de0 20 API calls 145785->145981 145985 bd4120 39 API calls task 145786->145985 145789 be4ccd 145788->145789 145791 be4c80 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 145788->145791 145789->145791 145986 bd19b0 145789->145986 145791->145771 145792->145385 145793->145385 145794->145383 145795->145383 145796->145389 145797->145389 145798->145392 145799->145392 145800->145392 145801->145392 145802->145384 145803->145384 145804->145417 145805->145417 145806->145412 145807->145412 145808->145412 145809->145412 145810->145431 145811->145431 145812->145431 145813->145431 145814->145438 145815->145438 145816->145438 145817->145438 145818->145449 145819->145449 145820->145449 145821->145449 145822->145458 145823->145458 145824->145458 145825->145458 145826->145465 145827->145465 145828->145465 145829->145465 145830->145472 145831->145472 145832->145472 145833->145472 145834->145481 145835->145481 145836->145481 145837->145481 145838->145484 145839->145484 145840->145484 145841->145484 145842->145455 145843->145455 145844->145496 145845->145496 145846->145505 145847->145505 145848->145505 145849->145505 145850->145514 145851->145514 145852->145514 145853->145514 145854->145524 145855->145524 145856->145524 145857->145524 145858->145531 145859->145531 145860->145531 145861->145531 145862->145534 145863->145534 145864->145534 145865->145534 145866->145509 145867->145509 145868->145544 145869->145544 145870->145557 145871->145557 145872->145557 145873->145557 145874->145565 145875->145565 145876->145565 145877->145565 145878->145572 145879->145572 145880->145572 145881->145572 145882->145578 145883->145578 145884->145578 145885->145578 145886->145592 145887->145592 145888->145592 145889->145592 145890->145599 145891->145599 145892->145599 145893->145599 145894->145605 145895->145605 145896->145605 145897->145605 145898->145608 145899->145608 145900->145608 145901->145608 145902->145582 145903->145582 145904->145620 145905->145620 145906->145632 145907->145632 145908->145632 145909->145632 145910->145641 145911->145641 145912->145641 145913->145641 145914->145647 145915->145647 145916->145647 145917->145647 145918->145650 145919->145650 145920->145650 145921->145650 145922->145611 145923->145611 145924->145662 145925->145662 145926->145673 145927->145673 145928->145673 145929->145673 145930->145680 145931->145680 145932->145680 145933->145680 145934->145687 145935->145687 145936->145687 145937->145687 145938->145690 145939->145690 145940->145690 145941->145690 145942->145706 145943->145706 145944->145706 145945->145706 145946->145714 145947->145714 145948->145714 145949->145714 145950->145721 145951->145721 145952->145721 145953->145721 145954->145728 145955->145728 145956->145728 145957->145728 145958->145737 145959->145737 145960->145737 145961->145737 145962->145742 145963->145742 145964->145742 145965->145742 145966->145711 145967->145711 145968->145752 145969->145752 145970->145761 145971->145761 145972->145761 145973->145761 145974->145734 145975->145734 145976->145773 145977->145773 145978->145785 145979->145785 145980->145785 145981->145785 145982->145760 145983->145760 145984->145375 145985->145375 145987 bd19d0 Concurrency::task_continuation_context::task_continuation_context 145986->145987 145989 bd19dd Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145987->145989 145997 be3fc0 41 API calls std::_Xinvalid_argument 145987->145997 145994 bd13d0 145989->145994 145991 bd1a16 std::ios_base::failure::failure shared_ptr 145993 bd1a89 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 145991->145993 145998 be3410 39 API calls allocator 145991->145998 145993->145791 145999 bd13b0 145994->145999 145996 bd13f0 std::ios_base::failure::failure allocator Concurrency::task_continuation_context::task_continuation_context 145996->145991 145997->145989 145998->145993 146002 be4bc0 145999->146002 146003 be4bd0 allocator 146002->146003 146006 bd1370 146003->146006 146007 bd1378 allocator 146006->146007 146008 bd1396 146007->146008 146009 bd1388 146007->146009 146010 bd1391 146008->146010 146021 be3220 146008->146021 146013 bd1460 146009->146013 146010->145996 146014 bd147c 146013->146014 146015 bd1477 146013->146015 146017 be3220 allocator 16 API calls 146014->146017 146024 be3d80 RaiseException stdext::threads::lock_error::lock_error CallUnexpected 146015->146024 146020 bd1485 146017->146020 146019 bd14a0 146019->146010 146020->146019 146025 c3458f 39 API calls 2 library calls 146020->146025 146026 c2fb05 146021->146026 146024->146014 146030 c2fb0a 146026->146030 146028 be322c 146028->146010 146030->146028 146032 c2fb26 std::_Facet_Register 146030->146032 146036 c34a40 146030->146036 146043 c37694 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 146030->146043 146031 c30371 stdext::threads::lock_error::lock_error 146045 c3106c RaiseException 146031->146045 146032->146031 146044 c3106c RaiseException 146032->146044 146035 c3038e 146041 c3ac15 __dosmaperr 146036->146041 146037 c3ac53 146047 c353de 14 API calls __dosmaperr 146037->146047 146039 c3ac3e RtlAllocateHeap 146040 c3ac51 146039->146040 146039->146041 146040->146030 146041->146037 146041->146039 146046 c37694 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 146041->146046 146043->146030 146044->146031 146045->146035 146046->146041 146047->146040 146048 bf7eea 146049 be8b77 VirtualAlloc 146048->146049 146050 bf7ef2 146048->146050 146063 be8ba8 146049->146063 146051 be97c2 146057 be9815 VirtualAlloc 146051->146057 146099 be985a 146051->146099 146052 be8db3 146054 be8e67 146052->146054 146055 be8e91 146052->146055 146202 c34870 15 API calls 146054->146202 146203 c34870 15 API calls 146055->146203 146062 be983f 146057->146062 146057->146099 146060 be90cc 146064 be917a 146060->146064 146065 be91a4 146060->146065 146216 c3106c RaiseException 146062->146216 146063->146052 146075 be8e89 146063->146075 146200 bd1d90 15 API calls 146063->146200 146201 bd1de0 20 API calls 146063->146201 146206 c34870 15 API calls 146064->146206 146207 c34870 15 API calls 146065->146207 146067 be93df 146072 be948d 146067->146072 146073 be94b7 146067->146073 146210 c34870 15 API calls 146072->146210 146211 c34870 15 API calls 146073->146211 146075->146060 146085 be919c 146075->146085 146204 bd1d90 15 API calls 146075->146204 146205 bd1de0 20 API calls 146075->146205 146078 be96f2 146080 be97ca 146078->146080 146081 be97a0 146078->146081 146215 c34870 15 API calls 146080->146215 146214 c34870 15 API calls 146081->146214 146085->146067 146086 be94af 146085->146086 146208 bd1d90 15 API calls 146085->146208 146209 bd1de0 20 API calls 146085->146209 146086->146051 146086->146078 146212 bd1d90 15 API calls 146086->146212 146213 bd1de0 20 API calls 146086->146213 146088 be9a68 146089 be9b16 146088->146089 146090 be9b40 146088->146090 146219 c34870 15 API calls 146089->146219 146220 c34870 15 API calls 146090->146220 146095 be9d7b 146096 be9e29 146095->146096 146097 be9e53 146095->146097 146223 c34870 15 API calls 146096->146223 146224 c34870 15 API calls 146097->146224 146099->146088 146108 be9b38 146099->146108 146217 bd1d90 15 API calls 146099->146217 146218 bd1de0 20 API calls 146099->146218 146102 bea09a 146104 bea148 146102->146104 146105 bea172 146102->146105 146227 c34870 15 API calls 146104->146227 146228 c34870 15 API calls 146105->146228 146108->146095 146116 be9e4b 146108->146116 146221 bd1d90 15 API calls 146108->146221 146222 bd1de0 20 API calls 146108->146222 146111 bea3ad 146112 bea45b 146111->146112 146113 bea485 146111->146113 146231 c34870 15 API calls 146112->146231 146232 c34870 15 API calls 146113->146232 146116->146102 146123 bea16a 146116->146123 146225 bd1d90 15 API calls 146116->146225 146226 bd1de0 20 API calls 146116->146226 146119 bea6ca 146120 bea778 146119->146120 146121 bea7a2 146119->146121 146235 c34870 15 API calls 146120->146235 146236 c34870 15 API calls 146121->146236 146123->146111 146130 bea47d 146123->146130 146229 bd1d90 15 API calls 146123->146229 146230 bd1de0 20 API calls 146123->146230 146127 bea9dd 146128 beaa8b 146127->146128 146129 beaab5 146127->146129 146239 c34870 15 API calls 146128->146239 146240 c34870 15 API calls 146129->146240 146130->146119 146142 bea79a 146130->146142 146233 bd1d90 15 API calls 146130->146233 146234 bd1de0 20 API calls 146130->146234 146135 bead04 146136 beaddc 146135->146136 146137 beadb2 146135->146137 146244 c34870 15 API calls 146136->146244 146243 c34870 15 API calls 146137->146243 146140 beb017 146144 beb0ef 146140->146144 146145 beb0c5 146140->146145 146142->146127 146148 beaaad 146142->146148 146237 bd1d90 15 API calls 146142->146237 146238 bd1de0 20 API calls 146142->146238 146248 c34870 15 API calls 146144->146248 146247 c34870 15 API calls 146145->146247 146148->146135 146155 beadd4 146148->146155 146241 bd1d90 15 API calls 146148->146241 146242 bd1de0 20 API calls 146148->146242 146151 beb336 146152 beb40e 146151->146152 146153 beb3e4 146151->146153 146252 c34870 15 API calls 146152->146252 146251 c34870 15 API calls 146153->146251 146155->146140 146162 beb0e7 146155->146162 146245 bd1d90 15 API calls 146155->146245 146246 bd1de0 20 API calls 146155->146246 146159 beb661 146160 beb73f 146159->146160 146161 beb715 146159->146161 146256 c34870 15 API calls 146160->146256 146255 c34870 15 API calls 146161->146255 146162->146151 146167 beb406 146162->146167 146249 bd1d90 15 API calls 146162->146249 146250 bd1de0 20 API calls 146162->146250 146167->146159 146180 beb737 _Yarn 146167->146180 146253 bd1d90 15 API calls 146167->146253 146254 bd1de0 20 API calls 146167->146254 146168 beba8d 146260 c34870 15 API calls 146168->146260 146169 beba63 146259 c34870 15 API calls 146169->146259 146170 bec4b7 146171 beb9af 146171->146168 146171->146169 146175 bebce0 146177 bebdbe 146175->146177 146178 bebd94 146175->146178 146264 c34870 15 API calls 146177->146264 146263 c34870 15 API calls 146178->146263 146180->146171 146184 beba85 146180->146184 146257 bd1d90 15 API calls 146180->146257 146258 bd1de0 20 API calls 146180->146258 146184->146175 146196 bebdb6 _Yarn 146184->146196 146261 bd1d90 15 API calls 146184->146261 146262 bd1de0 20 API calls 146184->146262 146185 bec0b2 146186 bec18f 146185->146186 146187 bec165 146185->146187 146268 c34870 15 API calls 146186->146268 146267 c34870 15 API calls 146187->146267 146192 bec3e2 146193 bec4bf 146192->146193 146194 bec495 146192->146194 146272 c34870 15 API calls 146193->146272 146271 c34870 15 API calls 146194->146271 146196->146185 146199 bec187 146196->146199 146265 bd1d90 15 API calls 146196->146265 146266 bd1de0 20 API calls 146196->146266 146199->146170 146199->146192 146269 bd1d90 15 API calls 146199->146269 146270 bd1de0 20 API calls 146199->146270 146200->146063 146201->146063 146202->146075 146203->146075 146204->146075 146205->146075 146206->146085 146207->146085 146208->146085 146209->146085 146210->146086 146211->146086 146212->146086 146213->146086 146214->146051 146215->146051 146216->146099 146217->146099 146218->146099 146219->146108 146220->146108 146221->146108 146222->146108 146223->146116 146224->146116 146225->146116 146226->146116 146227->146123 146228->146123 146229->146123 146230->146123 146231->146130 146232->146130 146233->146130 146234->146130 146235->146142 146236->146142 146237->146142 146238->146142 146239->146148 146240->146148 146241->146148 146242->146148 146243->146155 146244->146155 146245->146155 146246->146155 146247->146162 146248->146162 146249->146162 146250->146162 146251->146167 146252->146167 146253->146167 146254->146167 146255->146180 146256->146180 146257->146180 146258->146180 146259->146184 146260->146184 146261->146184 146262->146184 146263->146196 146264->146196 146265->146196 146266->146196 146267->146199 146268->146199 146269->146199 146270->146199 146271->146170 146272->146170 146273 be14b9 146285 be14c2 146273->146285 146274 be1779 146351 be3fe0 146274->146351 146276 be16a9 146278 be1757 146276->146278 146279 be1781 146276->146279 146388 c34870 15 API calls 146278->146388 146389 c34870 15 API calls 146279->146389 146284 be19ac 146286 be1a5a 146284->146286 146287 be1a84 146284->146287 146285->146274 146285->146276 146386 bd1d90 15 API calls 146285->146386 146387 bd1de0 20 API calls 146285->146387 146392 c34870 15 API calls 146286->146392 146393 c34870 15 API calls 146287->146393 146290 be1cbf 146295 be1d6d 146290->146295 146296 be1d97 146290->146296 146292 be20a2 146294 be23bc 146292->146294 146310 be22ed 146292->146310 146402 bd1d90 15 API calls 146292->146402 146403 bd1de0 20 API calls 146292->146403 146318 be25ff 146294->146318 146326 be26ce 146294->146326 146406 bd1d90 15 API calls 146294->146406 146407 bd1de0 20 API calls 146294->146407 146396 c34870 15 API calls 146295->146396 146397 c34870 15 API calls 146296->146397 146297 be1a7c 146297->146290 146299 be1d8f 146297->146299 146394 bd1d90 15 API calls 146297->146394 146395 bd1de0 20 API calls 146297->146395 146298 be1fd2 146305 be20aa 146298->146305 146306 be2080 146298->146306 146299->146292 146299->146298 146398 bd1d90 15 API calls 146299->146398 146399 bd1de0 20 API calls 146299->146399 146301 be17b3 146301->146284 146301->146297 146390 bd1d90 15 API calls 146301->146390 146391 bd1de0 20 API calls 146301->146391 146401 c34870 15 API calls 146305->146401 146400 c34870 15 API calls 146306->146400 146312 be239a 146310->146312 146313 be23c4 146310->146313 146404 c34870 15 API calls 146312->146404 146405 c34870 15 API calls 146313->146405 146319 be26ac 146318->146319 146320 be26d6 146318->146320 146408 c34870 15 API calls 146319->146408 146409 c34870 15 API calls 146320->146409 146324 be2911 146328 be29be 146324->146328 146329 be29e8 146324->146329 146326->146324 146347 be29e0 146326->146347 146410 bd1d90 15 API calls 146326->146410 146411 bd1de0 20 API calls 146326->146411 146327 be3011 146333 be30ce 146327->146333 146334 be306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 146327->146334 146412 c34870 15 API calls 146328->146412 146413 c34870 15 API calls 146329->146413 146334->146333 146438 38d21f5 InitializeCriticalSectionAndSpinCount 146334->146438 146335 be2c26 146337 be2cfd 146335->146337 146338 be2cd3 146335->146338 146417 c34870 15 API calls 146337->146417 146416 c34870 15 API calls 146338->146416 146342 be2f42 146344 be2fef 146342->146344 146345 be3019 146342->146345 146420 c34870 15 API calls 146344->146420 146421 c34870 15 API calls 146345->146421 146347->146335 146350 be2cf5 146347->146350 146414 bd1d90 15 API calls 146347->146414 146415 bd1de0 20 API calls 146347->146415 146350->146327 146350->146342 146418 bd1d90 15 API calls 146350->146418 146419 bd1de0 20 API calls 146350->146419 146365 be400f 146351->146365 146352 be4bae 146352->146301 146353 be41c0 146355 be424a 146353->146355 146356 be4274 146353->146356 146426 c34870 15 API calls 146355->146426 146427 c34870 15 API calls 146356->146427 146361 be44fd 146430 c34870 15 API calls 146361->146430 146362 be4527 146431 c34870 15 API calls 146362->146431 146363 be4473 146363->146361 146363->146362 146365->146353 146370 be426c 146365->146370 146424 bd1d90 15 API calls 146365->146424 146425 bd1de0 20 API calls 146365->146425 146368 be4717 146371 be47cb 146368->146371 146372 be47a1 146368->146372 146370->146363 146378 be451f 146370->146378 146428 bd1d90 15 API calls 146370->146428 146429 bd1de0 20 API calls 146370->146429 146435 c34870 15 API calls 146371->146435 146434 c34870 15 API calls 146372->146434 146377 be49bb 146377->146352 146379 be4a6d GetModuleHandleA GetProcAddress 146377->146379 146378->146368 146381 be47c3 146378->146381 146432 bd1d90 15 API calls 146378->146432 146433 bd1de0 20 API calls 146378->146433 146382 be4a9f _Yarn 146379->146382 146381->146377 146436 bd1d90 15 API calls 146381->146436 146437 bd1de0 20 API calls 146381->146437 146383 be4b3a VirtualProtect VirtualProtect 146382->146383 146422 c30910 146383->146422 146385 be4b84 VirtualProtect 146385->146352 146386->146285 146387->146285 146388->146274 146389->146274 146390->146301 146391->146301 146392->146297 146393->146297 146394->146297 146395->146297 146396->146299 146397->146299 146398->146299 146399->146299 146400->146292 146401->146292 146402->146292 146403->146292 146404->146294 146405->146294 146406->146294 146407->146294 146408->146326 146409->146326 146410->146326 146411->146326 146412->146347 146413->146347 146414->146347 146415->146347 146416->146350 146417->146350 146418->146350 146419->146350 146420->146327 146421->146327 146423 c30928 146422->146423 146423->146385 146423->146423 146424->146365 146425->146365 146426->146370 146427->146370 146428->146370 146429->146370 146430->146378 146431->146378 146432->146378 146433->146378 146434->146381 146435->146381 146436->146381 146437->146381 146439 38d2219 CreateMutexA 146438->146439 146440 38d2214 146438->146440 146441 38d2678 ExitProcess 146439->146441 146442 38d2235 GetLastError 146439->146442 146442->146441 146443 38d2246 146442->146443 146516 38d3bd2 146443->146516 146445 38d264f DeleteCriticalSection 146445->146441 146446 38d2251 146446->146445 146520 38d47e6 146446->146520 146449 38d2647 146451 38d3536 2 API calls 146449->146451 146451->146445 146456 38d22e0 146543 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146456->146543 146458 38d22ef 146544 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146458->146544 146460 38d25df 146609 38d3d76 EnterCriticalSection 146460->146609 146462 38d25f8 146622 38d3536 146462->146622 146463 38d22fe 146463->146460 146545 38d46d4 GetModuleHandleA 146463->146545 146467 38d2360 146467->146460 146548 38d1f2d GetUserDefaultUILanguage 146467->146548 146468 38d3536 2 API calls 146470 38d2610 146468->146470 146472 38d3536 2 API calls 146470->146472 146474 38d261b 146472->146474 146473 38d23b4 146473->146440 146477 38d23dd ExitProcess 146473->146477 146480 38d23e5 146473->146480 146476 38d3536 2 API calls 146474->146476 146475 38d46d4 2 API calls 146475->146473 146478 38d2626 146476->146478 146478->146449 146625 38d536d 146478->146625 146481 38d2412 ExitProcess 146480->146481 146482 38d241a 146480->146482 146483 38d244f 146482->146483 146484 38d2447 ExitProcess 146482->146484 146559 38d4ba2 146483->146559 146492 38d251f 146494 38d35db 11 API calls 146492->146494 146493 38d2532 146637 38d5239 146493->146637 146494->146493 146496 38d2543 146497 38d5239 4 API calls 146496->146497 146498 38d2551 146497->146498 146499 38d5239 4 API calls 146498->146499 146500 38d2561 146499->146500 146501 38d5239 4 API calls 146500->146501 146502 38d2570 146501->146502 146503 38d5239 4 API calls 146502->146503 146504 38d2580 146503->146504 146505 38d5239 4 API calls 146504->146505 146506 38d258f 146505->146506 146641 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146506->146641 146508 38d2599 146509 38d25b2 146508->146509 146510 38d25a2 GetModuleFileNameW 146508->146510 146511 38d5239 4 API calls 146509->146511 146510->146509 146512 38d25cc 146511->146512 146513 38d5239 4 API calls 146512->146513 146514 38d25d7 146513->146514 146515 38d3536 2 API calls 146514->146515 146515->146460 146517 38d3bda 146516->146517 146642 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146517->146642 146519 38d3be5 146519->146446 146521 38d46d4 2 API calls 146520->146521 146522 38d4812 146521->146522 146523 38d5239 4 API calls 146522->146523 146528 38d2283 146522->146528 146524 38d4828 146523->146524 146525 38d5239 4 API calls 146524->146525 146526 38d4833 146525->146526 146527 38d5239 4 API calls 146526->146527 146527->146528 146528->146449 146529 38d35db 146528->146529 146643 38d2c08 146529->146643 146532 38d484b 146533 38d4860 VirtualAlloc 146532->146533 146536 38d22c4 146532->146536 146534 38d487f 146533->146534 146533->146536 146535 38d46d4 2 API calls 146534->146535 146537 38d48a1 146535->146537 146536->146449 146542 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146536->146542 146537->146536 146538 38d48d0 GetCurrentProcess IsWow64Process 146537->146538 146540 38d5239 4 API calls 146538->146540 146541 38d48fa 146540->146541 146541->146536 146542->146456 146543->146458 146544->146463 146546 38d46f2 LoadLibraryA 146545->146546 146547 38d46ff 146545->146547 146546->146547 146547->146467 146549 38d1fa0 146548->146549 146550 38d35db 11 API calls 146549->146550 146551 38d1fd8 146550->146551 146552 38d35db 11 API calls 146551->146552 146553 38d1fe7 GetKeyboardLayoutList 146552->146553 146554 38d2042 146553->146554 146558 38d2001 146553->146558 146555 38d35db 11 API calls 146554->146555 146556 38d204e 146555->146556 146556->146473 146556->146475 146557 38d35db 11 API calls 146557->146558 146558->146554 146558->146557 146560 38d4bb8 146559->146560 146561 38d2468 CreateThread CreateThread WaitForMultipleObjects 146559->146561 146562 38d46d4 2 API calls 146560->146562 146586 38d19df 146561->146586 146818 38d1d3c 146561->146818 146834 38d519f 146561->146834 146563 38d4be9 146562->146563 146563->146561 146564 38d46d4 2 API calls 146563->146564 146565 38d4bfe 146564->146565 146565->146561 146566 38d4c06 KiUserCallbackDispatcher GetSystemMetrics 146565->146566 146567 38d4c2b 146566->146567 146568 38d4c51 GetDC 146567->146568 146568->146561 146569 38d4c65 GetCurrentObject 146568->146569 146570 38d4c78 GetObjectW 146569->146570 146571 38d4e17 ReleaseDC 146569->146571 146570->146571 146572 38d4c8f 146570->146572 146571->146561 146573 38d35db 11 API calls 146572->146573 146574 38d4caf DeleteObject CreateCompatibleDC 146573->146574 146574->146571 146575 38d4d24 CreateDIBSection 146574->146575 146576 38d4d45 SelectObject 146575->146576 146577 38d4e10 DeleteDC 146575->146577 146578 38d4e09 DeleteObject 146576->146578 146579 38d4d55 BitBlt 146576->146579 146577->146571 146578->146577 146579->146578 146580 38d4d7a 146579->146580 146658 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146580->146658 146582 38d4d85 146582->146578 146583 38d3d76 10 API calls 146582->146583 146584 38d4dfe 146583->146584 146585 38d3536 2 API calls 146584->146585 146585->146578 146587 38d19ed 146586->146587 146591 38d1a26 146586->146591 146589 38d1a09 146587->146589 146659 38d1000 146587->146659 146590 38d1000 57 API calls 146589->146590 146589->146591 146590->146591 146592 38d2054 146591->146592 146813 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146592->146813 146594 38d2103 GetCurrentHwProfileA 146595 38d212d GetSystemInfo 146594->146595 146596 38d2117 146594->146596 146598 38d35db 11 API calls 146595->146598 146597 38d35db 11 API calls 146596->146597 146600 38d212a 146597->146600 146601 38d214f 146598->146601 146599 38d2079 146599->146594 146600->146595 146602 38d3536 2 API calls 146601->146602 146603 38d2159 GlobalMemoryStatusEx 146602->146603 146604 38d35db 11 API calls 146603->146604 146607 38d2188 146604->146607 146605 38d21db EnumDisplayDevicesA 146606 38d21ee ObtainUserAgentString 146605->146606 146605->146607 146606->146492 146606->146493 146607->146605 146608 38d35db 11 API calls 146607->146608 146608->146607 146610 38d3ea4 LeaveCriticalSection 146609->146610 146611 38d3d98 146609->146611 146610->146462 146611->146610 146814 38d3d1c 6 API calls 146611->146814 146613 38d3dc1 146613->146610 146815 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146613->146815 146615 38d3dec 146816 38d6c7f EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146615->146816 146617 38d3df6 146618 38d3536 2 API calls 146617->146618 146619 38d3e4f 146618->146619 146620 38d3536 2 API calls 146619->146620 146621 38d3e9f 146620->146621 146621->146610 146623 38d2605 146622->146623 146624 38d353a GetProcessHeap RtlFreeHeap 146622->146624 146623->146468 146624->146623 146626 38d46d4 2 API calls 146625->146626 146628 38d53f0 146626->146628 146627 38d53f8 146627->146478 146628->146627 146629 38d546d socket 146628->146629 146629->146627 146630 38d5491 146629->146630 146630->146627 146631 38d54b1 connect 146630->146631 146632 38d54c8 send 146631->146632 146633 38d5517 Sleep 146631->146633 146632->146633 146634 38d54ea send 146632->146634 146633->146630 146634->146633 146635 38d5506 146634->146635 146636 38d3536 2 API calls 146635->146636 146636->146627 146638 38d525c 146637->146638 146640 38d5288 146637->146640 146638->146640 146817 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146638->146817 146640->146496 146641->146508 146642->146519 146644 38d2c18 146643->146644 146654 38d2c26 146643->146654 146655 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146644->146655 146646 38d2c76 146647 38d22a9 146646->146647 146657 38d51f6 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146646->146657 146647->146532 146649 38d3036 146650 38d3536 2 API calls 146649->146650 146650->146647 146652 38d2e29 WideCharToMultiByte 146652->146654 146653 38d2eb1 WideCharToMultiByte 146653->146654 146654->146646 146654->146652 146654->146653 146656 38d2991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 146654->146656 146655->146654 146656->146654 146657->146649 146658->146582 146660 38d101e 146659->146660 146661 38d1412 146659->146661 146660->146661 146696 38d407d GetFileAttributesW 146660->146696 146661->146589 146663 38d1035 146663->146661 146697 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146663->146697 146665 38d1049 146698 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146665->146698 146667 38d1052 146673 38d13d5 146667->146673 146699 38d3600 146667->146699 146668 38d3536 2 API calls 146670 38d140b 146668->146670 146671 38d3536 2 API calls 146670->146671 146671->146661 146673->146668 146674 38d13bd FindNextFileW 146674->146673 146684 38d1173 146674->146684 146676 38d3600 7 API calls 146676->146684 146677 38d3eb6 41 API calls 146677->146684 146678 38d1389 146679 38d40ba 15 API calls 146678->146679 146678->146684 146692 38d3600 7 API calls 146678->146692 146693 38d3efc 43 API calls 146678->146693 146756 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146678->146756 146757 38d3eb6 146678->146757 146679->146678 146684->146674 146684->146676 146684->146677 146684->146678 146685 38d1662 EnterCriticalSection 146684->146685 146686 38d3536 GetProcessHeap RtlFreeHeap 146684->146686 146690 38d3d76 10 API calls 146684->146690 146694 38d1000 53 API calls 146684->146694 146702 38d446c 146684->146702 146734 38d369c 146684->146734 146738 38d1a62 146684->146738 146746 38d1c94 146684->146746 146753 38d1ba5 146684->146753 146790 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146684->146790 146764 38d4e27 146685->146764 146686->146684 146690->146684 146692->146678 146693->146678 146694->146684 146696->146663 146697->146665 146698->146667 146791 38d3084 146699->146791 146800 38d407d GetFileAttributesW 146702->146800 146704 38d447e 146705 38d46cd 146704->146705 146801 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146704->146801 146705->146684 146707 38d4494 146708 38d46c5 146707->146708 146709 38d3600 7 API calls 146707->146709 146710 38d3536 2 API calls 146708->146710 146711 38d44b1 146709->146711 146710->146705 146712 38d44cf EnterCriticalSection 146711->146712 146713 38d4539 LeaveCriticalSection 146712->146713 146714 38d459b 146713->146714 146715 38d4552 146713->146715 146714->146708 146717 38d45be EnterCriticalSection 146714->146717 146715->146714 146716 38d456f 146715->146716 146803 38d42ec 21 API calls 146716->146803 146719 38d45f5 LeaveCriticalSection 146717->146719 146721 38d460d 146719->146721 146722 38d4691 EnterCriticalSection 146719->146722 146720 38d4574 146720->146714 146723 38d4578 146720->146723 146802 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146721->146802 146727 38d46ba LeaveCriticalSection 146722->146727 146725 38d3536 2 API calls 146723->146725 146726 38d4580 146725->146726 146729 38d446c 29 API calls 146726->146729 146727->146708 146728 38d4617 146728->146722 146731 38d4634 EnterCriticalSection 146728->146731 146730 38d4594 146729->146730 146730->146705 146732 38d4675 LeaveCriticalSection 146731->146732 146732->146722 146733 38d4689 146732->146733 146733->146722 146735 38d36b0 146734->146735 146737 38d36b4 146735->146737 146804 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146735->146804 146737->146684 146739 38d1a7f 146738->146739 146740 38d1a7a 146738->146740 146743 38d1a84 146739->146743 146806 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146739->146806 146805 38d1a2d EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146740->146805 146743->146684 146745 38d1ab3 146745->146743 146807 38d1a4f GetProcessHeap RtlFreeHeap 146745->146807 146747 38d46d4 2 API calls 146746->146747 146748 38d1ccd 146747->146748 146749 38d1cdd CryptUnprotectData 146748->146749 146750 38d1cfa 146748->146750 146749->146750 146751 38d1d05 146749->146751 146750->146684 146751->146750 146752 38d1d0c CryptProtectData 146751->146752 146752->146750 146808 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146753->146808 146755 38d1bcb 146755->146684 146756->146678 146758 38d446c 37 API calls 146757->146758 146759 38d3ecc 146758->146759 146761 38d3d76 10 API calls 146759->146761 146763 38d3eeb 146759->146763 146760 38d3536 2 API calls 146762 38d3ef4 146760->146762 146761->146763 146762->146678 146763->146760 146765 38d4e49 146764->146765 146766 38d4e8a 146764->146766 146768 38d3600 7 API calls 146765->146768 146781 38d167e LeaveCriticalSection 146766->146781 146809 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146766->146809 146769 38d4e80 146768->146769 146811 38d407d GetFileAttributesW 146769->146811 146770 38d4eaa 146810 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146770->146810 146773 38d4eb4 146774 38d3600 7 API calls 146773->146774 146775 38d4ec2 FindFirstFileW 146774->146775 146776 38d5183 146775->146776 146789 38d4edf 146775->146789 146777 38d3536 2 API calls 146776->146777 146779 38d518a 146777->146779 146778 38d3600 7 API calls 146778->146789 146780 38d3536 2 API calls 146779->146780 146780->146781 146781->146684 146782 38d516b FindNextFileW 146782->146776 146782->146789 146783 38d3eb6 41 API calls 146783->146789 146784 38d4f84 EnterCriticalSection 146786 38d4e27 41 API calls 146784->146786 146787 38d4f9f LeaveCriticalSection 146786->146787 146787->146782 146788 38d4e27 41 API calls 146788->146789 146789->146778 146789->146782 146789->146783 146789->146784 146789->146788 146812 38d407d GetFileAttributesW 146789->146812 146790->146684 146793 38d3090 146791->146793 146792 38d1156 FindFirstFileW 146792->146673 146792->146684 146793->146792 146795 38d329d IsDBCSLeadByte 146793->146795 146797 38d3308 IsDBCSLeadByte 146793->146797 146798 38d3329 MultiByteToWideChar 146793->146798 146799 38d2991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 146793->146799 146795->146793 146796 38d32aa MultiByteToWideChar 146795->146796 146796->146793 146797->146793 146798->146793 146799->146793 146800->146704 146801->146707 146802->146728 146803->146720 146804->146737 146805->146739 146806->146745 146807->146743 146808->146755 146809->146770 146810->146773 146811->146766 146812->146789 146813->146599 146814->146613 146815->146615 146816->146617 146817->146638 146819 38d1f25 146818->146819 146820 38d1d54 146818->146820 146820->146819 146821 38d3600 7 API calls 146820->146821 146822 38d1d75 FindFirstFileW 146821->146822 146822->146819 146823 38d1d94 146822->146823 146842 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146823->146842 146825 38d1f01 FindNextFileW 146827 38d1f1c 146825->146827 146832 38d1d9e 146825->146832 146826 38d3600 7 API calls 146826->146832 146828 38d3536 2 API calls 146827->146828 146828->146819 146830 38d3536 2 API calls 146830->146832 146831 38d1d3c 41 API calls 146831->146832 146832->146825 146832->146826 146832->146830 146832->146831 146833 38d3eb6 41 API calls 146832->146833 146843 38d408d 146832->146843 146833->146832 146835 38d51ad 146834->146835 146836 38d51ee 146834->146836 146849 38d3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146835->146849 146838 38d51b7 146839 38d4e27 45 API calls 146838->146839 146840 38d51e7 146838->146840 146839->146838 146841 38d3536 2 API calls 146840->146841 146841->146836 146842->146832 146845 38d4095 146843->146845 146844 38d40a7 146844->146832 146845->146844 146848 38d3657 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146845->146848 146847 38d40b7 146847->146832 146848->146847 146849->146838 146850 c2fca5 146855 c2fcb9 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 146850->146855 146851 c2fcbf 146852 c2fd40 146872 c305aa 146852->146872 146855->146851 146855->146852 146881 c3762e 39 API calls 3 library calls 146855->146881 146858 c2fd4e 146859 c2fd5b 146858->146859 146882 c305e0 GetModuleHandleW 146859->146882 146861 c2fd62 146862 c2fdd0 146861->146862 146863 c2fd66 146861->146863 146885 c381b7 21 API calls __FrameHandler3::FrameUnwindToState 146862->146885 146864 c2fd6f 146863->146864 146883 c3816c 21 API calls __FrameHandler3::FrameUnwindToState 146863->146883 146884 c2ffd0 75 API calls ___scrt_uninitialize_crt 146864->146884 146868 c2fdd6 146886 c3817b 21 API calls __FrameHandler3::FrameUnwindToState 146868->146886 146869 c2fd77 146869->146851 146871 c2fdde 146887 c30e90 146872->146887 146874 c305bd GetStartupInfoW 146875 c2fd46 146874->146875 146876 c37e0a 146875->146876 146888 c42f03 146876->146888 146878 c37e4d 146878->146858 146879 c37e13 146879->146878 146894 c431b6 39 API calls 146879->146894 146881->146852 146882->146861 146883->146864 146884->146869 146885->146868 146886->146871 146887->146874 146889 c42f0c 146888->146889 146890 c42f3e 146888->146890 146895 c3a9ab 146889->146895 146890->146879 146894->146879 146896 c3a9b6 146895->146896 146899 c3a9bc 146895->146899 146946 c3e015 6 API calls std::_Locinfo::_Locinfo_dtor 146896->146946 146901 c3a9c2 146899->146901 146947 c3e054 6 API calls std::_Locinfo::_Locinfo_dtor 146899->146947 146900 c3a9d6 146900->146901 146902 c3a9da 146900->146902 146905 c3a9c7 146901->146905 146955 c37134 39 API calls __FrameHandler3::FrameUnwindToState 146901->146955 146948 c3db5d 14 API calls 2 library calls 146902->146948 146923 c42d0e 146905->146923 146906 c3a9e6 146908 c3aa03 146906->146908 146909 c3a9ee 146906->146909 146951 c3e054 6 API calls std::_Locinfo::_Locinfo_dtor 146908->146951 146949 c3e054 6 API calls std::_Locinfo::_Locinfo_dtor 146909->146949 146912 c3a9fa 146950 c3abdb 14 API calls __dosmaperr 146912->146950 146913 c3aa0f 146914 c3aa13 146913->146914 146915 c3aa22 146913->146915 146952 c3e054 6 API calls std::_Locinfo::_Locinfo_dtor 146914->146952 146953 c3a71e 14 API calls __dosmaperr 146915->146953 146919 c3aa2d 146954 c3abdb 14 API calls __dosmaperr 146919->146954 146920 c3aa00 146920->146901 146922 c3aa34 146922->146905 146956 c42e63 146923->146956 146930 c42d78 146981 c42f61 146930->146981 146931 c42d6a 146992 c3abdb 14 API calls __dosmaperr 146931->146992 146934 c42d51 146934->146890 146936 c42db0 146993 c353de 14 API calls __dosmaperr 146936->146993 146938 c42df7 146941 c42e40 146938->146941 146996 c42987 39 API calls 2 library calls 146938->146996 146939 c42db5 146994 c3abdb 14 API calls __dosmaperr 146939->146994 146940 c42dcb 146940->146938 146995 c3abdb 14 API calls __dosmaperr 146940->146995 146997 c3abdb 14 API calls __dosmaperr 146941->146997 146946->146899 146947->146900 146948->146906 146949->146912 146950->146920 146951->146913 146952->146912 146953->146919 146954->146922 146957 c42e6f __FrameHandler3::FrameUnwindToState 146956->146957 146959 c42e89 146957->146959 146998 c349ca EnterCriticalSection 146957->146998 146961 c42d38 146959->146961 147001 c37134 39 API calls __FrameHandler3::FrameUnwindToState 146959->147001 146960 c42e99 146966 c42ec5 146960->146966 146999 c3abdb 14 API calls __dosmaperr 146960->146999 146967 c42a95 146961->146967 147000 c42ee2 LeaveCriticalSection std::_Lockit::~_Lockit 146966->147000 147002 c37178 146967->147002 146969 c42aa7 146970 c42ab6 GetOEMCP 146969->146970 146971 c42ac8 146969->146971 146972 c42adf 146970->146972 146971->146972 146973 c42acd GetACP 146971->146973 146972->146934 146974 c3ac15 146972->146974 146973->146972 146975 c3ac53 146974->146975 146979 c3ac23 __dosmaperr 146974->146979 147013 c353de 14 API calls __dosmaperr 146975->147013 146977 c3ac3e RtlAllocateHeap 146978 c3ac51 146977->146978 146977->146979 146978->146930 146978->146931 146979->146975 146979->146977 147012 c37694 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 146979->147012 146982 c42a95 41 API calls 146981->146982 146983 c42f81 146982->146983 146984 c42fd9 __fread_nolock 146983->146984 146986 c42fbe IsValidCodePage 146983->146986 146991 c43086 146983->146991 147014 c42b69 146984->147014 146988 c42fd0 146986->146988 146986->146991 146987 c42da5 146987->146936 146987->146940 146988->146984 146989 c42ff9 GetCPInfo 146988->146989 146989->146984 146989->146991 147025 c3003d 146991->147025 146992->146934 146993->146939 146994->146934 146995->146938 146996->146941 146997->146934 146998->146960 146999->146966 147000->146959 147003 c37196 147002->147003 147009 c3a8f0 39 API calls 3 library calls 147003->147009 147005 c371b7 147010 c3ac63 39 API calls __Getctype 147005->147010 147007 c371cd 147011 c3acc1 39 API calls ctype 147007->147011 147009->147005 147010->147007 147012->146979 147013->146978 147015 c42b91 GetCPInfo 147014->147015 147024 c42c5a 147014->147024 147018 c42ba9 147015->147018 147015->147024 147017 c3003d __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 147020 c42d0c 147017->147020 147032 c3ece1 147018->147032 147020->146991 147023 c3efd1 44 API calls 147023->147024 147024->147017 147026 c30046 IsProcessorFeaturePresent 147025->147026 147027 c30045 147025->147027 147029 c3072d 147026->147029 147027->146987 147110 c306f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 147029->147110 147031 c30810 147031->146987 147033 c37178 ctype 39 API calls 147032->147033 147034 c3ed01 147033->147034 147052 c41e03 147034->147052 147036 c3ed2e 147038 c3edb5 147036->147038 147040 c3ac15 __fread_nolock 15 API calls 147036->147040 147042 c3edbd 147036->147042 147043 c3ed53 __fread_nolock ctype 147036->147043 147037 c3003d __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 147041 c3ede0 147037->147041 147055 c2faaa 14 API calls _Yarn 147038->147055 147040->147043 147047 c3efd1 147041->147047 147042->147037 147043->147038 147044 c41e03 ctype MultiByteToWideChar 147043->147044 147045 c3ed9c 147044->147045 147045->147038 147046 c3eda3 GetStringTypeW 147045->147046 147046->147038 147048 c37178 ctype 39 API calls 147047->147048 147049 c3efe4 147048->147049 147058 c3ede2 147049->147058 147056 c41d6b 147052->147056 147055->147042 147057 c41d7c MultiByteToWideChar 147056->147057 147057->147036 147059 c3edfd ctype 147058->147059 147060 c41e03 ctype MultiByteToWideChar 147059->147060 147061 c3ee41 147060->147061 147063 c3ef0f 147061->147063 147065 c3ac15 __fread_nolock 15 API calls 147061->147065 147067 c3efbc 147061->147067 147068 c3ee67 ctype 147061->147068 147062 c3003d __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 147064 c3efcf 147062->147064 147098 c2faaa 14 API calls _Yarn 147063->147098 147064->147023 147065->147068 147067->147062 147068->147063 147069 c41e03 ctype MultiByteToWideChar 147068->147069 147070 c3eeb0 147069->147070 147070->147063 147086 c3e1d3 147070->147086 147073 c3eee6 147073->147063 147077 c3e1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 147073->147077 147074 c3ef1e 147075 c3efa7 147074->147075 147078 c3ac15 __fread_nolock 15 API calls 147074->147078 147079 c3ef30 ctype 147074->147079 147097 c2faaa 14 API calls _Yarn 147075->147097 147077->147063 147078->147079 147079->147075 147080 c3e1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 147079->147080 147081 c3ef73 147080->147081 147081->147075 147095 c41ebd WideCharToMultiByte _Fputc 147081->147095 147083 c3ef8d 147083->147075 147084 c3ef96 147083->147084 147096 c2faaa 14 API calls _Yarn 147084->147096 147099 c3dd60 147086->147099 147089 c3e1e4 LCMapStringEx 147094 c3e22b 147089->147094 147090 c3e20b 147102 c3e230 5 API calls std::_Locinfo::_Locinfo_dtor 147090->147102 147093 c3e224 LCMapStringW 147093->147094 147094->147063 147094->147073 147094->147074 147095->147083 147096->147063 147097->147063 147098->147067 147103 c3de5f 147099->147103 147102->147093 147104 c3de8f 147103->147104 147105 c3dd76 147103->147105 147104->147105 147106 c3dd94 std::_Locinfo::_Locinfo_dtor LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 147104->147106 147105->147089 147105->147090 147107 c3dea3 147106->147107 147107->147105 147108 c3dea9 GetProcAddress 147107->147108 147108->147105 147109 c3deb9 std::_Locinfo::_Locinfo_dtor 147108->147109 147109->147105 147110->147031 147111 be5d29 147122 be5d32 147111->147122 147112 be5f2e 147114 be5fdc 147112->147114 147115 be6006 147112->147115 147385 c34870 15 API calls 147114->147385 147386 c34870 15 API calls 147115->147386 147119 be6631 147138 be6950 147119->147138 147140 be6880 147119->147140 147395 bd1d90 15 API calls 147119->147395 147396 bd1de0 20 API calls 147119->147396 147121 be6250 147124 be62fd 147121->147124 147125 be6327 147121->147125 147122->147112 147123 be5ffe 147122->147123 147383 bd1d90 15 API calls 147122->147383 147384 bd1de0 20 API calls 147122->147384 147123->147121 147129 be631f 147123->147129 147353 bec4b7 147123->147353 147387 bd1d90 15 API calls 147123->147387 147388 bd1de0 20 API calls 147123->147388 147389 c34870 15 API calls 147124->147389 147390 c34870 15 API calls 147125->147390 147128 be6562 147132 be660f 147128->147132 147133 be6639 147128->147133 147129->147119 147129->147128 147391 bd1d90 15 API calls 147129->147391 147392 bd1de0 20 API calls 147129->147392 147393 c34870 15 API calls 147132->147393 147394 c34870 15 API calls 147133->147394 147134 be6b93 147147 be6c6b 147134->147147 147148 be6c41 147134->147148 147138->147134 147164 be6c63 147138->147164 147399 bd1d90 15 API calls 147138->147399 147400 bd1de0 20 API calls 147138->147400 147141 be692e 147140->147141 147142 be6958 147140->147142 147397 c34870 15 API calls 147141->147397 147398 c34870 15 API calls 147142->147398 147402 c34870 15 API calls 147147->147402 147401 c34870 15 API calls 147148->147401 147153 be6f8e 147406 c34870 15 API calls 147153->147406 147154 be6f64 147405 c34870 15 API calls 147154->147405 147155 be6eb7 147155->147153 147155->147154 147156 be71c9 147161 be7276 147156->147161 147162 be72a0 147156->147162 147409 c34870 15 API calls 147161->147409 147410 c34870 15 API calls 147162->147410 147164->147155 147172 be6f86 147164->147172 147403 bd1d90 15 API calls 147164->147403 147404 bd1de0 20 API calls 147164->147404 147168 be75bf 147414 c34870 15 API calls 147168->147414 147169 be7595 147413 c34870 15 API calls 147169->147413 147170 be7298 147171 be74e7 147170->147171 147185 be75b7 147170->147185 147411 bd1d90 15 API calls 147170->147411 147412 bd1de0 20 API calls 147170->147412 147171->147168 147171->147169 147172->147156 147172->147170 147407 bd1d90 15 API calls 147172->147407 147408 bd1de0 20 API calls 147172->147408 147176 be77fa 147178 be78a8 147176->147178 147179 be78d2 147176->147179 147417 c34870 15 API calls 147178->147417 147418 c34870 15 API calls 147179->147418 147181 be7b0d 147186 be7bbb 147181->147186 147187 be7be5 147181->147187 147185->147176 147197 be78ca 147185->147197 147415 bd1d90 15 API calls 147185->147415 147416 bd1de0 20 API calls 147185->147416 147421 c34870 15 API calls 147186->147421 147422 c34870 15 API calls 147187->147422 147189 be7e20 147194 be7ece 147189->147194 147195 be7ef8 147189->147195 147193 be8b71 VirtualAlloc 147253 be8ba8 147193->147253 147425 c34870 15 API calls 147194->147425 147426 c34870 15 API calls 147195->147426 147197->147181 147204 be7bdd 147197->147204 147419 bd1d90 15 API calls 147197->147419 147420 bd1de0 20 API calls 147197->147420 147201 be8133 147202 be820b 147201->147202 147203 be81e1 147201->147203 147430 c34870 15 API calls 147202->147430 147429 c34870 15 API calls 147203->147429 147204->147189 147215 be7ef0 147204->147215 147423 bd1d90 15 API calls 147204->147423 147424 bd1de0 20 API calls 147204->147424 147208 be8446 147210 be851e 147208->147210 147211 be84f4 147208->147211 147434 c34870 15 API calls 147210->147434 147433 c34870 15 API calls 147211->147433 147213 be8759 147218 be8807 147213->147218 147219 be8831 147213->147219 147215->147201 147223 be8203 147215->147223 147427 bd1d90 15 API calls 147215->147427 147428 bd1de0 20 API calls 147215->147428 147437 c34870 15 API calls 147218->147437 147438 c34870 15 API calls 147219->147438 147221 be8a6c 147227 be8b1a 147221->147227 147228 be8b44 147221->147228 147223->147208 147231 be8516 147223->147231 147431 bd1d90 15 API calls 147223->147431 147432 bd1de0 20 API calls 147223->147432 147226 be97c2 147242 be9815 VirtualAlloc 147226->147242 147279 be985a 147226->147279 147441 c34870 15 API calls 147227->147441 147442 c34870 15 API calls 147228->147442 147229 be8db3 147236 be8e67 147229->147236 147237 be8e91 147229->147237 147231->147213 147238 be8829 147231->147238 147435 bd1d90 15 API calls 147231->147435 147436 bd1de0 20 API calls 147231->147436 147235 be8b3c 147235->147193 147445 c34870 15 API calls 147236->147445 147446 c34870 15 API calls 147237->147446 147238->147193 147238->147221 147439 bd1d90 15 API calls 147238->147439 147440 bd1de0 20 API calls 147238->147440 147245 be983f 147242->147245 147242->147279 147243 be90cc 147246 be917a 147243->147246 147247 be91a4 147243->147247 147459 c3106c RaiseException 147245->147459 147449 c34870 15 API calls 147246->147449 147450 c34870 15 API calls 147247->147450 147250 be93df 147255 be948d 147250->147255 147256 be94b7 147250->147256 147253->147229 147260 be8e89 147253->147260 147443 bd1d90 15 API calls 147253->147443 147444 bd1de0 20 API calls 147253->147444 147453 c34870 15 API calls 147255->147453 147454 c34870 15 API calls 147256->147454 147258 be96f2 147263 be97ca 147258->147263 147264 be97a0 147258->147264 147260->147243 147266 be919c 147260->147266 147447 bd1d90 15 API calls 147260->147447 147448 bd1de0 20 API calls 147260->147448 147458 c34870 15 API calls 147263->147458 147457 c34870 15 API calls 147264->147457 147266->147250 147269 be94af 147266->147269 147451 bd1d90 15 API calls 147266->147451 147452 bd1de0 20 API calls 147266->147452 147269->147226 147269->147258 147455 bd1d90 15 API calls 147269->147455 147456 bd1de0 20 API calls 147269->147456 147271 be9a68 147272 be9b16 147271->147272 147273 be9b40 147271->147273 147462 c34870 15 API calls 147272->147462 147463 c34870 15 API calls 147273->147463 147278 be9d7b 147280 be9e29 147278->147280 147281 be9e53 147278->147281 147279->147271 147292 be9b38 147279->147292 147460 bd1d90 15 API calls 147279->147460 147461 bd1de0 20 API calls 147279->147461 147466 c34870 15 API calls 147280->147466 147467 c34870 15 API calls 147281->147467 147285 bea09a 147287 bea148 147285->147287 147288 bea172 147285->147288 147470 c34870 15 API calls 147287->147470 147471 c34870 15 API calls 147288->147471 147290 bea3ad 147295 bea45b 147290->147295 147296 bea485 147290->147296 147292->147278 147300 be9e4b 147292->147300 147464 bd1d90 15 API calls 147292->147464 147465 bd1de0 20 API calls 147292->147465 147474 c34870 15 API calls 147295->147474 147475 c34870 15 API calls 147296->147475 147298 bea6ca 147303 bea778 147298->147303 147304 bea7a2 147298->147304 147300->147285 147307 bea16a 147300->147307 147468 bd1d90 15 API calls 147300->147468 147469 bd1de0 20 API calls 147300->147469 147478 c34870 15 API calls 147303->147478 147479 c34870 15 API calls 147304->147479 147305 bea9dd 147311 beaa8b 147305->147311 147312 beaab5 147305->147312 147307->147290 147313 bea47d 147307->147313 147472 bd1d90 15 API calls 147307->147472 147473 bd1de0 20 API calls 147307->147473 147482 c34870 15 API calls 147311->147482 147483 c34870 15 API calls 147312->147483 147313->147298 147325 bea79a 147313->147325 147476 bd1d90 15 API calls 147313->147476 147477 bd1de0 20 API calls 147313->147477 147317 bead04 147319 beaddc 147317->147319 147320 beadb2 147317->147320 147487 c34870 15 API calls 147319->147487 147486 c34870 15 API calls 147320->147486 147323 beb017 147327 beb0ef 147323->147327 147328 beb0c5 147323->147328 147325->147305 147332 beaaad 147325->147332 147480 bd1d90 15 API calls 147325->147480 147481 bd1de0 20 API calls 147325->147481 147491 c34870 15 API calls 147327->147491 147490 c34870 15 API calls 147328->147490 147330 beb336 147335 beb40e 147330->147335 147336 beb3e4 147330->147336 147332->147317 147339 beadd4 147332->147339 147484 bd1d90 15 API calls 147332->147484 147485 bd1de0 20 API calls 147332->147485 147495 c34870 15 API calls 147335->147495 147494 c34870 15 API calls 147336->147494 147337 beb661 147343 beb73f 147337->147343 147344 beb715 147337->147344 147339->147323 147345 beb0e7 147339->147345 147488 bd1d90 15 API calls 147339->147488 147489 bd1de0 20 API calls 147339->147489 147499 c34870 15 API calls 147343->147499 147498 c34870 15 API calls 147344->147498 147345->147330 147350 beb406 147345->147350 147492 bd1d90 15 API calls 147345->147492 147493 bd1de0 20 API calls 147345->147493 147350->147337 147363 beb737 _Yarn 147350->147363 147496 bd1d90 15 API calls 147350->147496 147497 bd1de0 20 API calls 147350->147497 147351 beba8d 147503 c34870 15 API calls 147351->147503 147352 beba63 147502 c34870 15 API calls 147352->147502 147354 beb9af 147354->147351 147354->147352 147358 bebce0 147360 bebdbe 147358->147360 147361 bebd94 147358->147361 147507 c34870 15 API calls 147360->147507 147506 c34870 15 API calls 147361->147506 147363->147354 147368 beba85 147363->147368 147500 bd1d90 15 API calls 147363->147500 147501 bd1de0 20 API calls 147363->147501 147367 bec0b2 147369 bec18f 147367->147369 147370 bec165 147367->147370 147368->147358 147379 bebdb6 _Yarn 147368->147379 147504 bd1d90 15 API calls 147368->147504 147505 bd1de0 20 API calls 147368->147505 147511 c34870 15 API calls 147369->147511 147510 c34870 15 API calls 147370->147510 147372 bec3e2 147376 bec4bf 147372->147376 147377 bec495 147372->147377 147515 c34870 15 API calls 147376->147515 147514 c34870 15 API calls 147377->147514 147379->147367 147382 bec187 147379->147382 147508 bd1d90 15 API calls 147379->147508 147509 bd1de0 20 API calls 147379->147509 147382->147353 147382->147372 147512 bd1d90 15 API calls 147382->147512 147513 bd1de0 20 API calls 147382->147513 147383->147122 147384->147122 147385->147123 147386->147123 147387->147123 147388->147123 147389->147129 147390->147129 147391->147129 147392->147129 147393->147119 147394->147119 147395->147119 147396->147119 147397->147138 147398->147138 147399->147138 147400->147138 147401->147164 147402->147164 147403->147164 147404->147164 147405->147172 147406->147172 147407->147172 147408->147172 147409->147170 147410->147170 147411->147170 147412->147170 147413->147185 147414->147185 147415->147185 147416->147185 147417->147197 147418->147197 147419->147197 147420->147197 147421->147204 147422->147204 147423->147204 147424->147204 147425->147215 147426->147215 147427->147215 147428->147215 147429->147223 147430->147223 147431->147223 147432->147223 147433->147231 147434->147231 147435->147231 147436->147231 147437->147238 147438->147238 147439->147238 147440->147238 147441->147235 147442->147235 147443->147253 147444->147253 147445->147260 147446->147260 147447->147260 147448->147260 147449->147266 147450->147266 147451->147266 147452->147266 147453->147269 147454->147269 147455->147269 147456->147269 147457->147226 147458->147226 147459->147279 147460->147279 147461->147279 147462->147292 147463->147292 147464->147292 147465->147292 147466->147300 147467->147300 147468->147300 147469->147300 147470->147307 147471->147307 147472->147307 147473->147307 147474->147313 147475->147313 147476->147313 147477->147313 147478->147325 147479->147325 147480->147325 147481->147325 147482->147332 147483->147332 147484->147332 147485->147332 147486->147339 147487->147339 147488->147339 147489->147339 147490->147345 147491->147345 147492->147345 147493->147345 147494->147350 147495->147350 147496->147350 147497->147350 147498->147363 147499->147363 147500->147363 147501->147363 147502->147368 147503->147368 147504->147368 147505->147368 147506->147379 147507->147379 147508->147379 147509->147379 147510->147382 147511->147382 147512->147382 147513->147382 147514->147353 147515->147353 147516 bdf3c4 147534 bdf3cd 147516->147534 147517 bdf698 std::runtime_error::runtime_error _strlen 147518 bdf6f6 InternetOpenUrlA 147517->147518 147519 bdf734 FreeLibrary 147518->147519 147520 bdf782 InternetReadFile 147518->147520 147529 bdf75f 147519->147529 147521 bdf7bb FreeLibrary 147520->147521 147522 bdf7b2 147520->147522 147537 bdf82a std::ios_base::failure::failure 147521->147537 147522->147520 147522->147521 147526 be4c60 std::ios_base::failure::failure 41 API calls 147522->147526 147523 bdf5c9 147527 bdf676 147523->147527 147528 bdf6a0 147523->147528 147526->147522 147541 c34870 15 API calls 147527->147541 147542 c34870 15 API calls 147528->147542 147543 bd4120 39 API calls task 147529->147543 147534->147517 147534->147523 147539 bd1d90 15 API calls 147534->147539 147540 bd1de0 20 API calls 147534->147540 147535 bdf77a 147544 bd4120 39 API calls task 147537->147544 147539->147534 147540->147534 147541->147517 147542->147517 147543->147535 147544->147535 147545 c2fe5f 147546 c2fe68 147545->147546 147553 c3013c IsProcessorFeaturePresent 147546->147553 147548 c2fe74 147554 c32f0e 10 API calls 2 library calls 147548->147554 147550 c2fe7d 147551 c2fe79 147551->147550 147555 c32f2d 7 API calls 2 library calls 147551->147555 147553->147548 147554->147551 147555->147550

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00BD5B80 Relevance: 36.0, APIs: 15, Strings: 1, Instructions: 7953COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: e6f75112040e91dd814e6ff4b559f6c285061bc44ae0055eff3f039609f11dec
                                                                                                                                                                                                                            • Instruction ID: b17d100679bd5d25666bdae3e4933780e45b6c3cc36f72ef25e72e68e9c96268
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e6f75112040e91dd814e6ff4b559f6c285061bc44ae0055eff3f039609f11dec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4143575C04A2D8ACB66DF68CC916AEF7B5FF46344F1082DAD40A7A241EB319AD1CF41
                                                                                                                                                                                                                            Function 038D4BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2537 38d4ba2-38d4bb2 2538 38d4bb8-38d4beb call 38d46d4 2537->2538 2539 38d4e23-38d4e26 2537->2539 2542 38d4bf1-38d4c00 call 38d46d4 2538->2542 2543 38d4e22 2538->2543 2542->2543 2546 38d4c06-38d4c5f KiUserCallbackDispatcher GetSystemMetrics call 38d3576 * 4 GetDC 2542->2546 2543->2539 2555 38d4c65-38d4c72 GetCurrentObject 2546->2555 2556 38d4e20-38d4e21 2546->2556 2557 38d4c78-38d4c89 GetObjectW 2555->2557 2558 38d4e17-38d4e1a ReleaseDC 2555->2558 2556->2543 2557->2558 2559 38d4c8f-38d4d1e call 38d35db DeleteObject CreateCompatibleDC 2557->2559 2558->2556 2559->2558 2562 38d4d24-38d4d3f CreateDIBSection 2559->2562 2563 38d4d45-38d4d4f SelectObject 2562->2563 2564 38d4e10-38d4e11 DeleteDC 2562->2564 2565 38d4e09-38d4e0a DeleteObject 2563->2565 2566 38d4d55-38d4d74 BitBlt 2563->2566 2564->2558 2565->2564 2566->2565 2567 38d4d7a-38d4d8c call 38d3508 2566->2567 2567->2565 2570 38d4d8e-38d4df9 call 38d354b * 3 call 38d3d76 2567->2570 2578 38d4dfe-38d4e04 call 38d3536 2570->2578 2578->2565
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038D4812), ref: 038D46E6
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038D4812), ref: 038D46F3
                                                                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 038D4C13
                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 038D4C1A
                                                                                                                                                                                                                            • GetDC.USER32(00000000), ref: 038D4C55
                                                                                                                                                                                                                            • GetCurrentObject.GDI32(00000000,00000007), ref: 038D4C68
                                                                                                                                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 038D4C81
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 038D4CB3
                                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 038D4D14
                                                                                                                                                                                                                            • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 038D4D35
                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 038D4D47
                                                                                                                                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,?,038D2468,00000000,?,?,00CC0020), ref: 038D4D6C
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                              • Part of subcall function 038D3D76: EnterCriticalSection.KERNEL32(038D84D4,00000000,00000000,00000000,?,?,?,?,?,038D3EEB,00000000,00000000,00000000,00000000,00000000), ref: 038D3D88
                                                                                                                                                                                                                              • Part of subcall function 038D3536: GetProcessHeap.KERNEL32(00000000,00000000,038D518A), ref: 038D353D
                                                                                                                                                                                                                              • Part of subcall function 038D3536: RtlFreeHeap.NTDLL(00000000), ref: 038D3544
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 038D4E0A
                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 038D4E11
                                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 038D4E1A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                                                                                                                                                                                                                            • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                                                                                                                                                                                                                            • API String ID: 1387450592-1028866296
                                                                                                                                                                                                                            • Opcode ID: c7a7eafe817275f2feedcbb22fe1632f3cf9e29f145f9c9300c16de2e9a1cf6e
                                                                                                                                                                                                                            • Instruction ID: aa5a5c3f36ee2dc6cfb126f1566b80fee9716aa32840130fed271f28e0fb6510
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7a7eafe817275f2feedcbb22fe1632f3cf9e29f145f9c9300c16de2e9a1cf6e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52718D75D41308AADF21DBE9EC45BAEBB78AF04710F148099E605EB290DBB09A14CB56
                                                                                                                                                                                                                            Function 038D1000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 667fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2580 38d1000-38d1018 2581 38d101e-38d1028 2580->2581 2582 38d1412-38d1418 2580->2582 2581->2582 2583 38d102e-38d1037 call 38d407d 2581->2583 2583->2582 2586 38d103d-38d1059 call 38d3508 * 2 2583->2586 2591 38d105f-38d1061 2586->2591 2592 38d1404-38d140d call 38d3536 * 2 2586->2592 2591->2592 2593 38d1067-38d116d call 38d3600 FindFirstFileW 2591->2593 2592->2582 2599 38d13d5-38d1401 call 38d3576 * 3 2593->2599 2600 38d1173-38d1192 call 38d363b * 2 2593->2600 2599->2592 2609 38d1198-38d11b7 call 38d3600 2600->2609 2610 38d13ba 2600->2610 2616 38d11bd-38d11cf call 38d372b 2609->2616 2617 38d1769-38d1770 2609->2617 2613 38d13bd-38d13cf FindNextFileW 2610->2613 2613->2599 2613->2600 2616->2617 2622 38d11d5-38d11e7 call 38d372b 2616->2622 2617->2610 2619 38d1776-38d1794 call 38d363b call 38d3b60 2617->2619 2629 38d17eb-38d17f0 2619->2629 2630 38d1796-38d17e3 call 38d3508 call 38d3600 call 38d3eb6 2619->2630 2622->2617 2628 38d11ed-38d120f call 38d363b call 38d3b60 2622->2628 2647 38d171e-38d1749 call 38d40ba 2628->2647 2648 38d1215-38d121b 2628->2648 2631 38d199b-38d19d2 call 38d3600 call 38d3eb6 2629->2631 2632 38d17f6-38d17fb 2629->2632 2630->2629 2650 38d19d7-38d19da 2631->2650 2632->2631 2636 38d1801-38d1806 2632->2636 2636->2631 2642 38d180c-38d1811 2636->2642 2642->2631 2646 38d1817-38d181c 2642->2646 2646->2631 2651 38d1822-38d1827 2646->2651 2659 38d152d-38d1534 call 38d3536 2647->2659 2660 38d174f-38d175a call 38d372b 2647->2660 2648->2647 2653 38d1221-38d1227 2648->2653 2650->2613 2651->2631 2655 38d182d-38d1832 2651->2655 2653->2647 2657 38d122d-38d1233 2653->2657 2655->2631 2658 38d1838-38d183d 2655->2658 2657->2647 2661 38d1239-38d123f 2657->2661 2658->2631 2662 38d1843-38d1848 2658->2662 2659->2610 2660->2659 2672 38d1760-38d1762 2660->2672 2661->2647 2665 38d1245-38d124b 2661->2665 2662->2631 2666 38d184e-38d1853 2662->2666 2665->2647 2669 38d1251-38d1257 2665->2669 2666->2631 2670 38d1859-38d185e 2666->2670 2669->2647 2673 38d125d-38d1263 2669->2673 2670->2610 2671 38d1864-38d1878 call 38d446c 2670->2671 2678 38d187e-38d1883 2671->2678 2679 38d14b4-38d14be call 38d3536 2671->2679 2672->2617 2673->2647 2675 38d1269-38d126f 2673->2675 2675->2647 2677 38d1275-38d127b 2675->2677 2677->2647 2680 38d1281-38d1287 2677->2680 2678->2679 2682 38d1889-38d18a1 call 38d36f1 2678->2682 2679->2610 2680->2647 2683 38d128d-38d1293 2680->2683 2682->2679 2689 38d18a7-38d18bf call 38d36f1 2682->2689 2683->2647 2686 38d1299-38d129f 2683->2686 2686->2647 2688 38d12a5-38d12ab 2686->2688 2688->2647 2690 38d12b1-38d12b7 2688->2690 2689->2679 2696 38d18c5-38d18db call 38d369c 2689->2696 2690->2647 2691 38d12bd-38d12c3 2690->2691 2691->2647 2693 38d12c9-38d12cf 2691->2693 2693->2647 2695 38d12d5-38d12db 2693->2695 2695->2647 2697 38d12e1-38d12e7 2695->2697 2696->2679 2702 38d18e1-38d18ed call 38d3625 2696->2702 2697->2647 2699 38d12ed-38d12f3 2697->2699 2699->2647 2701 38d12f9-38d12ff 2699->2701 2701->2647 2703 38d1305-38d130b 2701->2703 2707 38d14ad-38d14af call 38d3536 2702->2707 2708 38d18f3-38d1906 call 38d1a62 2702->2708 2703->2647 2705 38d1311-38d1317 2703->2705 2705->2647 2709 38d131d-38d1323 2705->2709 2707->2679 2708->2707 2715 38d190c-38d1911 2708->2715 2709->2647 2712 38d1329-38d132f 2709->2712 2712->2647 2714 38d1335-38d133b 2712->2714 2714->2647 2716 38d1341-38d1347 2714->2716 2715->2707 2717 38d1917-38d1929 call 38d1c94 2715->2717 2718 38d134d-38d1353 2716->2718 2719 38d168c-38d16c1 call 38d40ba 2716->2719 2726 38d198e-38d1996 call 38d3536 2717->2726 2727 38d192b-38d1974 call 38d1ba5 call 38d3600 call 38d3d76 2717->2727 2718->2719 2722 38d1359-38d135f 2718->2722 2719->2679 2728 38d16c7-38d16d2 call 38d372b 2719->2728 2722->2719 2725 38d1365-38d136b 2722->2725 2729 38d1371-38d1377 2725->2729 2730 38d1662-38d1687 EnterCriticalSection call 38d4e27 LeaveCriticalSection 2725->2730 2726->2707 2764 38d1979-38d198b call 38d3536 * 2 2727->2764 2728->2679 2746 38d16d8-38d1719 call 38d3efc 2728->2746 2729->2730 2731 38d137d-38d1383 2729->2731 2730->2610 2736 38d1419-38d141f 2731->2736 2737 38d1389-38d13b4 call 38d3efc 2731->2737 2743 38d1425-38d1447 call 38d40ba 2736->2743 2744 38d14c3-38d14c9 2736->2744 2737->2610 2743->2679 2760 38d1449-38d1454 call 38d372b 2743->2760 2749 38d1539-38d153f 2744->2749 2750 38d14cb-38d14ed call 38d40ba 2744->2750 2746->2679 2753 38d1576-38d157c 2749->2753 2754 38d1541-38d1563 call 38d40ba 2749->2754 2750->2659 2767 38d14ef-38d14fa call 38d372b 2750->2767 2762 38d165b 2753->2762 2763 38d1582-38d1588 2753->2763 2754->2659 2770 38d1565-38d1570 call 38d372b 2754->2770 2760->2679 2780 38d1456-38d14a7 call 38d3508 call 38d3600 call 38d3eb6 2760->2780 2762->2730 2763->2762 2768 38d158e-38d1594 2763->2768 2764->2726 2767->2659 2787 38d14fc 2767->2787 2773 38d15a9-38d15af 2768->2773 2774 38d1596-38d159d 2768->2774 2770->2659 2790 38d1572-38d1574 2770->2790 2777 38d15b1-38d15b7 2773->2777 2778 38d15e3-38d160b call 38d40ba 2773->2778 2774->2773 2777->2778 2783 38d15b9-38d15bf 2777->2783 2778->2659 2794 38d1611-38d161c call 38d372b 2778->2794 2780->2707 2783->2778 2788 38d15c1-38d15c7 2783->2788 2792 38d14fe-38d1527 call 38d3efc 2787->2792 2788->2778 2793 38d15c9-38d15cf 2788->2793 2790->2792 2792->2659 2793->2778 2797 38d15d1-38d15d8 call 38d1000 2793->2797 2794->2659 2805 38d1622-38d1656 call 38d3efc 2794->2805 2804 38d15dd-38d15de 2797->2804 2804->2610 2805->2659
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,?), ref: 038D13C7
                                                                                                                                                                                                                              • Part of subcall function 038D407D: GetFileAttributesW.KERNELBASE(038D5051,038D447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038D3ECC), ref: 038D407E
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(00000000,?,0132E870,?), ref: 038D1161
                                                                                                                                                                                                                              • Part of subcall function 038D3EFC: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 038D3F5D
                                                                                                                                                                                                                              • Part of subcall function 038D3EFC: FindNextFileW.KERNEL32(038D1710,?), ref: 038D3FFE
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(038D84D4), ref: 038D1668
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(038D84D4), ref: 038D1681
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                                                                                                                                                                                                                            • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
                                                                                                                                                                                                                            • API String ID: 1893179121-1537637304
                                                                                                                                                                                                                            • Opcode ID: a0d7284a7360ede27da6788778a80a92f4b311dcf4a6a1d1ce3b8643a01a6cd6
                                                                                                                                                                                                                            • Instruction ID: 40784563eb34ecc3d8d6d554f8fd739f7405f5b955679de0e1bad3af04bf8fc7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0d7284a7360ede27da6788778a80a92f4b311dcf4a6a1d1ce3b8643a01a6cd6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A32E765E003245BDB65EBE89858BFDF3B5AF44310F1840DAD406EB294EB748E85CB92
                                                                                                                                                                                                                            Function 038D2054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2857 38d2054-38d20a5 call 38d3508 2860 38d20a7-38d20c6 2857->2860 2861 38d2103-38d2115 GetCurrentHwProfileA 2857->2861 2862 38d20ce-38d20d4 2860->2862 2863 38d20c8-38d20cc 2860->2863 2864 38d212d-38d219e GetSystemInfo call 38d35db call 38d3536 GlobalMemoryStatusEx call 38d35db 2861->2864 2865 38d2117-38d212a call 38d35db 2861->2865 2869 38d20df-38d20e5 2862->2869 2870 38d20d6-38d20dd 2862->2870 2868 38d20ee-38d20f9 call 38d354b 2863->2868 2881 38d21db-38d21ec EnumDisplayDevicesA 2864->2881 2865->2864 2873 38d20fc-38d2101 2868->2873 2869->2873 2874 38d20e7-38d20eb 2869->2874 2870->2868 2873->2860 2873->2861 2874->2868 2882 38d21ee-38d21f4 2881->2882 2883 38d21a0-38d21a9 2881->2883 2884 38d21ab-38d21c7 call 38d35db 2883->2884 2885 38d21ca-38d21da 2883->2885 2884->2885 2885->2881
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 038D210B
                                                                                                                                                                                                                            • GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 038D2132
                                                                                                                                                                                                                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 038D2166
                                                                                                                                                                                                                            • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 038D21E8
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                                                                                                                                                                                                                            • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                                                                                                                                                                                                                            • API String ID: 330852582-565344305
                                                                                                                                                                                                                            • Opcode ID: 50387b1f4e3e37e1d5b54525f6dd3bb810e54d393b61e7e8f4a400b09069151a
                                                                                                                                                                                                                            • Instruction ID: a3d228c8a84d79e57affc1b5be13cd7f407c66b27b4e366d3a2836967944cffa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50387b1f4e3e37e1d5b54525f6dd3bb810e54d393b61e7e8f4a400b09069151a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A941AF716043059BD725DF98D881BAFB7A9EB88314F0449ADF989CB241E7B0D944CBA3
                                                                                                                                                                                                                            Function 038D4E27 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2888 38d4e27-38d4e47 2889 38d4e49-38d4e8c call 38d3600 call 38d407d 2888->2889 2890 38d4e98-38d4ed9 call 38d3508 * 2 call 38d3600 FindFirstFileW 2888->2890 2899 38d5198-38d519e 2889->2899 2900 38d4e92 2889->2900 2903 38d4edf-38d4ef9 call 38d3600 2890->2903 2904 38d5183-38d5192 call 38d3536 * 2 2890->2904 2900->2890 2910 38d4eff-38d4f06 2903->2910 2911 38d4fb1-38d4fc7 call 38d363b 2903->2911 2904->2899 2914 38d4f0c-38d4f1e call 38d372b 2910->2914 2915 38d516b-38d517d FindNextFileW 2910->2915 2911->2915 2919 38d4fcd-38d50ab call 38d3600 call 38d3eb6 call 38d363b call 38d3600 call 38d407d 2911->2919 2914->2915 2920 38d4f24-38d4f36 call 38d372b 2914->2920 2915->2903 2915->2904 2919->2915 2942 38d50b1-38d5165 call 38d363b call 38d3600 call 38d3eb6 2919->2942 2920->2915 2926 38d4f3c-38d4f5b call 38d363b call 38d3b60 2920->2926 2936 38d4f5d-38d4f62 2926->2936 2937 38d4f84-38d4fac EnterCriticalSection call 38d4e27 LeaveCriticalSection 2926->2937 2936->2937 2940 38d4f64-38d4f6b 2936->2940 2937->2915 2940->2915 2944 38d4f71-38d4f79 call 38d4e27 2940->2944 2950 38d516a 2942->2950 2948 38d4f7e-38d4f7f 2944->2948 2948->2950 2950->2915
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000), ref: 038D4ECD
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(038D84D4), ref: 038D4F89
                                                                                                                                                                                                                              • Part of subcall function 038D4E27: LeaveCriticalSection.KERNEL32(038D84D4), ref: 038D4FA6
                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,?), ref: 038D5175
                                                                                                                                                                                                                              • Part of subcall function 038D407D: GetFileAttributesW.KERNELBASE(038D5051,038D447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038D3ECC), ref: 038D407E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                                                                                                                                                                                                                            • String ID: %s\%s$%s\*$Telegram
                                                                                                                                                                                                                            • API String ID: 648860119-4994844
                                                                                                                                                                                                                            • Opcode ID: eeab6b6db038ac7b9208867c7639469f879c5839dc2fc6b40e5f8d89d36cc336
                                                                                                                                                                                                                            • Instruction ID: 96a3cc875ce9da41f2b150f12e6140ef44b70f5fc95ba9101e45786430324d39
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eeab6b6db038ac7b9208867c7639469f879c5839dc2fc6b40e5f8d89d36cc336
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3CA1B429A14748A9EF10EBE4EC45BBEB375EF44710F20509AE504EF2E0EBB14E45C75A
                                                                                                                                                                                                                            Function 038D1D3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5796 38d1d3c-38d1d4e 5797 38d1f25-38d1f2a 5796->5797 5798 38d1d54-38d1d5e 5796->5798 5798->5797 5799 38d1d64-38d1d8e call 38d3600 FindFirstFileW 5798->5799 5799->5797 5802 38d1d94-38d1dd8 call 38d3508 call 38d363b 5799->5802 5807 38d1ddd-38d1e02 call 38d363b * 2 5802->5807 5812 38d1e08-38d1e21 call 38d3600 5807->5812 5813 38d1f01-38d1f0f FindNextFileW 5807->5813 5819 38d1e54-38d1e59 5812->5819 5820 38d1e23-38d1e33 call 38d372b 5812->5820 5815 38d1f1c-38d1f20 call 38d3536 5813->5815 5816 38d1f11-38d1f17 5813->5816 5815->5797 5816->5807 5822 38d1e5f-38d1e69 5819->5822 5823 38d1ef2-38d1efd 5819->5823 5820->5819 5827 38d1e35-38d1e45 call 38d372b 5820->5827 5822->5823 5825 38d1e6f-38d1e7c call 38d408d 5822->5825 5823->5813 5830 38d1e7e-38d1e95 call 38d363b call 38d3b60 5825->5830 5831 38d1eeb-38d1eed call 38d3536 5825->5831 5827->5819 5835 38d1e47-38d1e4a call 38d1d3c 5827->5835 5841 38d1eac-38d1edc call 38d3600 call 38d3eb6 5830->5841 5842 38d1e97-38d1e9c 5830->5842 5831->5823 5839 38d1e4f 5835->5839 5839->5823 5848 38d1ee1-38d1ee4 5841->5848 5842->5841 5843 38d1e9e-38d1ea3 5842->5843 5843->5841 5845 38d1ea5-38d1eaa 5843->5845 5845->5831 5845->5841 5848->5831
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?), ref: 038D1D83
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,?), ref: 038D1F07
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                                                                                                                                                                                                                            • String ID: %s%s$%s\%s$%s\*
                                                                                                                                                                                                                            • API String ID: 3555643018-2064654797
                                                                                                                                                                                                                            • Opcode ID: fc950731b8a9f421c7cdfabaeee133589cf79eaf89c9e28ab7f08581f0599045
                                                                                                                                                                                                                            • Instruction ID: eb81c3f63b5a1e6283e336f128b20812113bde397f0d4b10a85a7ab53e1df189
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fc950731b8a9f421c7cdfabaeee133589cf79eaf89c9e28ab7f08581f0599045
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 764106792097418BCB54EFA8E844A2EB3E4AF84300F0409DDF955CB291EF70CA15C787
                                                                                                                                                                                                                            Function 038D1C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69encryptionCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5896 38d1c94-38d1ccf call 38d46d4 5899 38d1d2f-38d1d3b 5896->5899 5900 38d1cd1-38d1cf8 call 38d3576 CryptUnprotectData 5896->5900 5903 38d1cfa-38d1d03 5900->5903 5904 38d1d05-38d1d0a 5900->5904 5903->5899 5904->5899 5905 38d1d0c-38d1d29 CryptProtectData 5904->5905 5905->5899
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038D4812), ref: 038D46E6
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038D4812), ref: 038D46F3
                                                                                                                                                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 038D1CF3
                                                                                                                                                                                                                            • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 038D1D29
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                                                                                                                                                                                                                            • String ID: CRYPT32.dll$Poverty is the parent of crime.
                                                                                                                                                                                                                            • API String ID: 3642467563-1885057629
                                                                                                                                                                                                                            • Opcode ID: 931e1ad516268f9afef9ffc2df6a4241e28c57040009455d55b66888ea4bb9a4
                                                                                                                                                                                                                            • Instruction ID: ae68a0faf9fb2b0794535948d7f9b9452da5ec7e464ccdcb122f51cd93e990dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 931e1ad516268f9afef9ffc2df6a4241e28c57040009455d55b66888ea4bb9a4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01113BB5D0020CABDB10CFD5C884CEEBBBDEF48210F1445AAE905E3244E770AE09CBA0
                                                                                                                                                                                                                            Function 038D21F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 38d21f5-38d2212 InitializeCriticalSectionAndSpinCount 1 38d2219-38d222f CreateMutexA 0->1 2 38d2214 0->2 4 38d2678-38d267a ExitProcess 1->4 5 38d2235-38d2240 GetLastError 1->5 3 38d2680 2->3 5->4 6 38d2246-38d2255 call 38d3bd2 5->6 9 38d264f-38d266f DeleteCriticalSection 6->9 10 38d225b-38d2285 call 38d3576 call 38d47e6 6->10 9->4 15 38d228b-38d22d0 call 38d35db call 38d484b 10->15 16 38d2647-38d264a call 38d3536 10->16 15->16 22 38d22d6-38d230a call 38d3508 * 3 15->22 16->9 29 38d25df-38d262e call 38d3d76 call 38d3536 * 4 call 38d3bfb 22->29 30 38d2310-38d2317 22->30 60 38d2631-38d2637 call 38d536d 29->60 30->29 32 38d231d-38d2324 30->32 32->29 34 38d232a-38d2366 call 38d46d4 32->34 34->29 39 38d236c-38d2381 call 38d1f2d 34->39 45 38d23c1-38d23db 39->45 46 38d2383-38d23ba call 38d46d4 39->46 54 38d23dd-38d23df ExitProcess 45->54 55 38d23e5-38d2410 call 38d363b 45->55 46->45 53 38d23bc 46->53 53->3 64 38d241a-38d2445 call 38d363b 55->64 65 38d2412-38d2414 ExitProcess 55->65 62 38d263c-38d2643 60->62 62->16 66 38d2645 62->66 70 38d244f-38d24bd call 38d363b call 38d4ba2 CreateThread * 2 WaitForMultipleObjects call 38d19df call 38d2054 64->70 71 38d2447-38d2449 ExitProcess 64->71 66->60 80 38d24c7-38d24ce 70->80 81 38d2501-38d251d ObtainUserAgentString 80->81 82 38d24d0-38d24d9 80->82 85 38d251f-38d2532 call 38d35db 81->85 86 38d2535-38d25a0 call 38d5239 * 6 call 38d3508 81->86 83 38d24ff 82->83 84 38d24db-38d24f5 82->84 83->80 84->83 85->86 104 38d25b2-38d25da call 38d363b call 38d5239 * 2 call 38d3536 86->104 105 38d25a2-38d25ac GetModuleFileNameW 86->105 104->29 105->104
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(038D84D4,00000DA3), ref: 038D220A
                                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 038D2222
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 038D2235
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                                                                                                                                                                                                                            • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$shell32$systemd
                                                                                                                                                                                                                            • API String ID: 2005177960-3436640841
                                                                                                                                                                                                                            • Opcode ID: eaad9215d86a1ba73c4a2403faa3b66b3f878429be20b044127d2e9c1822ba54
                                                                                                                                                                                                                            • Instruction ID: 590e6f57b1e15e47dd6c42ced293385554a3547ede00287bf783eebac9159503
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eaad9215d86a1ba73c4a2403faa3b66b3f878429be20b044127d2e9c1822ba54
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4C1CF34A44348AAEB11FFE8E809FEC7B76AF45300F0440D9E641EE2D5DBB54A55CB22
                                                                                                                                                                                                                            Function 038D446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 038D407D: GetFileAttributesW.KERNELBASE(038D5051,038D447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038D3ECC), ref: 038D407E
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(038D84D4), ref: 038D44F5
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(038D84D4), ref: 038D4541
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(038D84D4), ref: 038D45C4
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(038D84D4), ref: 038D45FD
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(038D84D4), ref: 038D463A
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(038D84D4), ref: 038D467D
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(038D84D4), ref: 038D4696
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(038D84D4), ref: 038D46BF
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,038D4574), ref: 038D4305
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: GetProcAddress.KERNEL32(00000000), ref: 038D430E
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,038D4574), ref: 038D431F
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: GetProcAddress.KERNEL32(00000000), ref: 038D4322
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,038D4574), ref: 038D43A4
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: GetCurrentProcess.KERNEL32(038D4574,00000000,00000000,00000002,?,?,?,?,038D4574), ref: 038D43C0
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,038D4574), ref: 038D43CF
                                                                                                                                                                                                                              • Part of subcall function 038D42EC: CloseHandle.KERNEL32(038D4574,?,?,?,?,038D4574), ref: 038D43FF
                                                                                                                                                                                                                              • Part of subcall function 038D3536: GetProcessHeap.KERNEL32(00000000,00000000,038D518A), ref: 038D353D
                                                                                                                                                                                                                              • Part of subcall function 038D3536: RtlFreeHeap.NTDLL(00000000), ref: 038D3544
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
                                                                                                                                                                                                                            • String ID: @$\??\%s$\Network\Cookies
                                                                                                                                                                                                                            • API String ID: 330363434-2791195959
                                                                                                                                                                                                                            • Opcode ID: b679f4d9120a25cbf6fa4fdbd2582458547de66a1fb91504e2d5134fb31e32c8
                                                                                                                                                                                                                            • Instruction ID: 4fdc2620ab748c979e9daaa03f3b750e4509e1946b9327c2c7a1172452518737
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b679f4d9120a25cbf6fa4fdbd2582458547de66a1fb91504e2d5134fb31e32c8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9715C79A40208AFEB44EFD4E849FADBBB6FB04704F108095F501EA2D1DBB59A45CF51
                                                                                                                                                                                                                            Function 038D536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138networkCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2953 38d536d-38d53f6 call 38d46d4 2956 38d53ff-38d5457 2953->2956 2957 38d53f8-38d53fa 2953->2957 2960 38d545d-38d548b call 38d5361 socket 2956->2960 2961 38d553b 2956->2961 2958 38d553e-38d5541 2957->2958 2964 38d5531-38d5534 2960->2964 2965 38d5491-38d54a8 call 38d52cf call 38d3576 2960->2965 2961->2958 2964->2961 2970 38d54a9-38d54af 2965->2970 2971 38d5524-38d552a 2970->2971 2972 38d54b1-38d54c6 connect 2970->2972 2971->2964 2973 38d54c8-38d54e8 send 2972->2973 2974 38d5517-38d5522 Sleep 2972->2974 2973->2974 2975 38d54ea-38d5504 send 2973->2975 2974->2970 2975->2974 2976 38d5506-38d5515 call 38d3536 2975->2976 2976->2971
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038D4812), ref: 038D46E6
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038D4812), ref: 038D46F3
                                                                                                                                                                                                                            • socket.WS2_32(?,00000001,00000000), ref: 038D5480
                                                                                                                                                                                                                            • connect.WS2_32(000000FF,?,00000010), ref: 038D54BF
                                                                                                                                                                                                                            • send.WS2_32(000000FF,00000000,00000000), ref: 038D54E1
                                                                                                                                                                                                                            • send.WS2_32(000000FF,000000FF,00000037,00000000), ref: 038D54FD
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: send$HandleLibraryLoadModuleconnectsocket
                                                                                                                                                                                                                            • String ID: 146.70.169.164$ws2_32.dll
                                                                                                                                                                                                                            • API String ID: 2781119014-4085977579
                                                                                                                                                                                                                            • Opcode ID: fa5a13a91908196e0489bc461393447c3651aa8d8f7e014f8d73073404ef162d
                                                                                                                                                                                                                            • Instruction ID: d90f7f4fde7c379bdc7d1235c8aaf3dfbdfdaf2b0162dcef9434aa1ec889124a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa5a13a91908196e0489bc461393447c3651aa8d8f7e014f8d73073404ef162d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2551A530C44289EEEB12CBE8D809BEDBFB89F16314F144189E660EE1C1C7B54746CB62
                                                                                                                                                                                                                            Function 00BDF990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: 4c71b4f7e8c5a78942d798513b1c58849339c640b5ae347829fffcdbcf606ec1
                                                                                                                                                                                                                            • Instruction ID: 10ff529e0c6f7df93d570b448bea6f8e0405271ad615dacf86755c788ca71bb1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c71b4f7e8c5a78942d798513b1c58849339c640b5ae347829fffcdbcf606ec1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE633474C04A5C8ACB26DF68C8917AEF7B6FF56344F1086D6D40A3A241EB31AAD1DF41
                                                                                                                                                                                                                            Function 00BE3FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 3853 be3fe0-be4015 3855 be401b-be4022 3853->3855 3856 be42a1-be42b9 3853->3856 3857 be402d-be4033 3855->3857 3861 be42bf-be42c9 3856->3861 3862 be4554-be456c 3856->3862 3859 be4039-be4050 3857->3859 3860 be40e4-be40eb 3857->3860 3863 be405b-be4061 3859->3863 3864 be40f6-be40fc 3860->3864 3865 be42da-be42e3 3861->3865 3869 be47f8-be4810 3862->3869 3870 be4572-be4579 3862->3870 3867 be40cd-be40df 3863->3867 3868 be4063-be40cb call bd1dc0 call bd1cc0 3863->3868 3871 be4102-be4109 3864->3871 3872 be41c0-be41c7 3864->3872 3873 be42e9-be4300 3865->3873 3874 be4397-be439e 3865->3874 3867->3857 3868->3863 3883 be4a36-be4a3d 3869->3883 3884 be4816-be481d 3869->3884 3876 be4584-be458a 3870->3876 3880 be4114-be411a 3871->3880 3877 be41d2-be41d8 3872->3877 3881 be430b-be4311 3873->3881 3879 be43a9-be43af 3874->3879 3886 be463b-be4642 3876->3886 3887 be4590-be45a7 3876->3887 3888 be41da-be41e1 3877->3888 3889 be4236-be423f 3877->3889 3890 be43b5-be43bc 3879->3890 3891 be4473-be447a 3879->3891 3892 be41bb 3880->3892 3893 be4120-be41b6 call bd1d90 call bd1de0 call bd1d10 3880->3893 3894 be4313-be437e call bd1dc0 call bd1cc0 3881->3894 3895 be4380-be4392 3881->3895 3897 be4bae-be4bb1 3883->3897 3898 be4a43-be4ba4 call bd4c60 call bd45b0 call bd4a60 call bd4550 GetModuleHandleA GetProcAddress call bd4e20 call bd4670 call bd4ff0 call bd4670 call bd51b0 call bd4670 call bd5370 call bd4690 call bd5530 call bd4690 call bd5610 call bd46b0 call bd56f0 call bd46b0 call c30910 VirtualProtect * 2 call c30910 VirtualProtect 3883->3898 3896 be4828-be482e 3884->3896 3909 be464d-be4653 3886->3909 3907 be45b2-be45b8 3887->3907 3902 be41ec-be41f2 3888->3902 3905 be4246-be4248 3889->3905 3906 be4241-be4245 3889->3906 3903 be43c7-be43cd 3890->3903 3908 be4485-be448b 3891->3908 3892->3864 3893->3880 3894->3881 3895->3865 3912 be48df-be48e6 3896->3912 3913 be4834-be484b 3896->3913 3898->3897 3916 be4234 3902->3916 3917 be41f4-be4232 call bd1e00 3902->3917 3918 be446e 3903->3918 3919 be43d3-be4469 call bd1d90 call bd1de0 call bd1d10 3903->3919 3921 be424a-be4272 call c34870 3905->3921 3922 be4274-be4299 call c34870 3905->3922 3906->3905 3923 be45ba-be4622 call bd1dc0 call bd1cc0 3907->3923 3924 be4624-be4636 3907->3924 3925 be448d-be4494 3908->3925 3926 be44e9-be44f2 3908->3926 3927 be4659-be4660 3909->3927 3928 be4717-be471e 3909->3928 3936 be48f1-be48f7 3912->3936 3932 be4856-be485c 3913->3932 3916->3877 3917->3902 3918->3879 3919->3903 3984 be429c 3921->3984 3922->3984 3923->3907 3924->3876 3946 be449f-be44a5 3925->3946 3930 be44f9-be44fb 3926->3930 3931 be44f4-be44f8 3926->3931 3947 be466b-be4671 3927->3947 3935 be4729-be472f 3928->3935 3951 be44fd-be4525 call c34870 3930->3951 3952 be4527-be454c call c34870 3930->3952 3931->3930 3953 be485e-be48c6 call bd1dc0 call bd1cc0 3932->3953 3954 be48c8-be48da 3932->3954 3956 be478d-be4796 3935->3956 3957 be4731-be4738 3935->3957 3958 be48fd-be4904 3936->3958 3959 be49bb-be49c2 3936->3959 3966 be44e7 3946->3966 3967 be44a7-be44e5 call bd1e00 3946->3967 3948 be4677-be470d call bd1d90 call bd1de0 call bd1d10 3947->3948 3949 be4712 3947->3949 3948->3947 3949->3909 4008 be454f 3951->4008 3952->4008 3953->3932 3954->3896 3981 be479d-be479f 3956->3981 3982 be4798-be479c 3956->3982 3977 be4743-be4749 3957->3977 3978 be490f-be4915 3958->3978 3985 be49cd-be49d3 3959->3985 3966->3908 3967->3946 3994 be478b 3977->3994 3995 be474b-be4789 call bd1e00 3977->3995 3996 be491b-be49b1 call bd1d90 call bd1de0 call bd1d10 3978->3996 3997 be49b6 3978->3997 3999 be47cb-be47f0 call c34870 3981->3999 4000 be47a1-be47c9 call c34870 3981->4000 3982->3981 3984->3856 4001 be49d5-be49dc 3985->4001 4002 be4a31 3985->4002 3994->3935 3995->3977 3996->3978 3997->3936 4038 be47f3 3999->4038 4000->4038 4018 be49e7-be49ed 4001->4018 4002->3883 4008->3862 4028 be4a2f 4018->4028 4029 be49ef-be4a2d call bd1e00 4018->4029 4028->3985 4029->4018 4038->3869
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: fa9ec645028c74f1171200d9dba253fb9c47d3fc299d8779487748ffa5b3c158
                                                                                                                                                                                                                            • Instruction ID: 509b7cf241b1a2fb5301bcb40c91911b9e9a8c013f4ba310fb0f65c542bf3282
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa9ec645028c74f1171200d9dba253fb9c47d3fc299d8779487748ffa5b3c158
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07724774C00A5CDBCB15DFA8D8916EEF7B5FF56344F1082DAE40A7A241EB31AA85DB40
                                                                                                                                                                                                                            Function 00BE59F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: 17b30d56f6a6042c5cd909e0697910c2dc61792b2243948e1de12842ee6a4176
                                                                                                                                                                                                                            • Instruction ID: 05e6ac680760f8255fdcd6b0330d438af788f85f44cbd47bb28ad6d484c5e113
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17b30d56f6a6042c5cd909e0697910c2dc61792b2243948e1de12842ee6a4176
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2CD33675C04A6C8ACB26DF68C9917AEF7B5FF56344F1082C6D40A3A241EB31AAD1DF41
                                                                                                                                                                                                                            Function 038D484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5731 38d484b-38d485a 5732 38d4b90 5731->5732 5733 38d4860-38d4879 VirtualAlloc 5731->5733 5734 38d4b96-38d4b99 5732->5734 5733->5732 5735 38d487f-38d48a3 call 38d46d4 5733->5735 5736 38d4b9c-38d4ba1 5734->5736 5739 38d4b8c-38d4b8e 5735->5739 5740 38d48a9-38d48be call 38d354b 5735->5740 5739->5736 5743 38d48c0-38d48c7 5740->5743 5744 38d48c9-38d48ce 5743->5744 5745 38d48d2-38d48d5 5743->5745 5744->5743 5747 38d48d0 5744->5747 5746 38d48d9-38d4900 GetCurrentProcess IsWow64Process call 38d5239 5745->5746 5750 38d4906-38d490b 5746->5750 5751 38d4990-38d4993 5746->5751 5747->5746 5754 38d490d-38d491d 5750->5754 5755 38d492c-38d4931 5750->5755 5752 38d4995-38d4998 5751->5752 5753 38d49e0-38d49e3 5751->5753 5756 38d49b8-38d49bc 5752->5756 5757 38d499a-38d49b6 5752->5757 5759 38d4a8e-38d4a94 5753->5759 5760 38d49e9-38d49ee 5753->5760 5758 38d491f-38d4927 5754->5758 5761 38d4971-38d4974 5755->5761 5762 38d4933-38d4938 5755->5762 5756->5732 5766 38d49c2-38d49de 5756->5766 5765 38d4a32-38d4a3f 5757->5765 5758->5765 5763 38d4b2f-38d4b32 5759->5763 5764 38d4a9a-38d4aa0 5759->5764 5767 38d4a10-38d4a12 5760->5767 5768 38d49f0-38d4a0e 5760->5768 5770 38d497f-38d498e 5761->5770 5771 38d4976-38d4979 5761->5771 5762->5754 5769 38d493a-38d493c 5762->5769 5763->5732 5774 38d4b34-38d4b55 5763->5774 5772 38d4ac0-38d4ac6 5764->5772 5773 38d4aa2-38d4abb 5764->5773 5765->5734 5766->5765 5775 38d4a44-38d4a47 5767->5775 5776 38d4a14-38d4a2d 5767->5776 5768->5765 5769->5754 5777 38d493e-38d4941 5769->5777 5770->5758 5771->5732 5771->5770 5778 38d4ac8-38d4ae1 5772->5778 5779 38d4ae6-38d4aec 5772->5779 5773->5734 5780 38d4b77 5774->5780 5781 38d4b57-38d4b5d 5774->5781 5784 38d4a49-38d4a62 5775->5784 5785 38d4a67-38d4a6a 5775->5785 5776->5765 5782 38d4957-38d495a 5777->5782 5783 38d4943-38d4955 5777->5783 5778->5734 5786 38d4b0c-38d4b12 5779->5786 5787 38d4aee-38d4b07 5779->5787 5791 38d4b7c-38d4b83 5780->5791 5781->5780 5788 38d4b5f-38d4b65 5781->5788 5782->5732 5789 38d4960-38d496f 5782->5789 5783->5758 5784->5734 5785->5732 5790 38d4a70-38d4a89 5785->5790 5786->5774 5792 38d4b14-38d4b2d 5786->5792 5787->5734 5788->5780 5793 38d4b67-38d4b6d 5788->5793 5789->5758 5790->5734 5791->5734 5792->5734 5793->5780 5794 38d4b6f-38d4b75 5793->5794 5794->5780 5795 38d4b85-38d4b8a 5794->5795 5795->5791
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,038D22C4), ref: 038D486C
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038D4812), ref: 038D46E6
                                                                                                                                                                                                                              • Part of subcall function 038D46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038D4812), ref: 038D46F3
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(038D22C4), ref: 038D48E0
                                                                                                                                                                                                                            • IsWow64Process.KERNEL32(00000000), ref: 038D48E7
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                                                                                                                                                                                                                            • String ID: l$ntdl
                                                                                                                                                                                                                            • API String ID: 1207166019-924918826
                                                                                                                                                                                                                            • Opcode ID: a6f8c3714f685ec42328f74ca3cad190bcda4022991835bda4bdd4d13486b62c
                                                                                                                                                                                                                            • Instruction ID: 8c5d0fc373ed554568af7b08f38bfac0fda53abd2ef1ddc96d035d77cb20a9d6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6f8c3714f685ec42328f74ca3cad190bcda4022991835bda4bdd4d13486b62c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F081C4316097049AEB24FED6E855B7933BDFB10714F2805DAE20ADB2D4DFB48A54C706
                                                                                                                                                                                                                            Function 00C2FCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5849 c2fca5-c2fcbd call c37e88 5852 c2fcd0-c2fd06 call c37e5d call c2ffb3 call c30489 5849->5852 5853 c2fcbf-c2fccb 5849->5853 5862 c2fd23-c2fd2c call c3048f 5852->5862 5863 c2fd08-c2fd11 call c2ff1f 5852->5863 5854 c2fdb9-c2fdc8 5853->5854 5868 c2fd41-c2fd56 call c305aa call c37e0a call becf50 5862->5868 5869 c2fd2e-c2fd37 call c2ff1f 5862->5869 5863->5862 5870 c2fd13-c2fd21 5863->5870 5882 c2fd5b-c2fd64 call c305e0 5868->5882 5869->5868 5876 c2fd39-c2fd40 call c38191 5869->5876 5870->5862 5876->5868 5885 c2fdd0-c2fdde call c381b7 call c3817b 5882->5885 5886 c2fd66-c2fd68 5882->5886 5887 c2fd6a call c3816c 5886->5887 5888 c2fd6f-c2fd82 call c2ffd0 5886->5888 5887->5888 5888->5854
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ___scrt_release_startup_lock.LIBCMT ref: 00C2FCF5
                                                                                                                                                                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00C2FD09
                                                                                                                                                                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00C2FD2F
                                                                                                                                                                                                                            • ___scrt_uninitialize_crt.LIBCMT ref: 00C2FD72
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                                                                                                                                                                                                                            • String ID: VPWh
                                                                                                                                                                                                                            • API String ID: 3089971210-353207083
                                                                                                                                                                                                                            • Opcode ID: 78a68417b8e899a4f3d2d125a72b1b12cd11421be27fe30189cfa651f4cdf83f
                                                                                                                                                                                                                            • Instruction ID: c6737d589332cf0677f03f60aff797215cfda877e5a9d15140987317c2308b3f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78a68417b8e899a4f3d2d125a72b1b12cd11421be27fe30189cfa651f4cdf83f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE21F6375183396ADA317FA5B807A9E67B0EF42720F20057EF89137AD2DF214D43A694
                                                                                                                                                                                                                            Function 00BE3052 Relevance: 6.0, APIs: 4, Instructions: 32librarysynchronizationthreadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5906 be3052-be3068 5908 be30ce-be30d1 5906->5908 5909 be306a-be30ca LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 5906->5909 5909->5908
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 00BE307F
                                                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00BE30A2
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BE30B7
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00BE30C4
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$CreateFreeLoadObjectSingleThreadWait
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2432312608-0
                                                                                                                                                                                                                            • Opcode ID: c6c74abc02965d14f84eff083424d445055ee1d96f7fb758a2ad18297891e508
                                                                                                                                                                                                                            • Instruction ID: c0086318eee2f82e769a3ca9244d08fa87eef9b72e2790af6d3fa7c76b752add
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6c74abc02965d14f84eff083424d445055ee1d96f7fb758a2ad18297891e508
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4016974A403289BDB348F50DC8CBAA7774FB48715F1006C8EA2A672A1CBB16EC0CF50
                                                                                                                                                                                                                            Function 038D3508 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1367039788-0
                                                                                                                                                                                                                            • Opcode ID: 60961359c9e389802a3009d817c8847666d852d0d02baf593bd92bd427d11883
                                                                                                                                                                                                                            • Instruction ID: 11952e20170e061b35a378f9944226a1d313fe53e17266ed0001958962f8d9b5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60961359c9e389802a3009d817c8847666d852d0d02baf593bd92bd427d11883
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06D09E3260256067DA503AE9B80C99BABACEF9577170540DAF205C3198CAA48C1587A0
                                                                                                                                                                                                                            Function 038D46D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5911 38d46d4-38d46f0 GetModuleHandleA 5912 38d4706-38d470e 5911->5912 5913 38d46f2-38d46fd LoadLibraryA 5911->5913 5915 38d47dd 5912->5915 5916 38d4714-38d471f 5912->5916 5913->5912 5914 38d46ff-38d4701 5913->5914 5917 38d47e0-38d47e5 5914->5917 5915->5917 5916->5915 5918 38d4725-38d472e 5916->5918 5918->5915 5919 38d4734-38d4739 5918->5919 5919->5915 5920 38d473f-38d4743 5919->5920 5920->5915 5921 38d4749-38d476e 5920->5921 5922 38d47dc 5921->5922 5923 38d4770-38d477b 5921->5923 5922->5915 5924 38d477d-38d4787 5923->5924 5925 38d47cc-38d47da 5924->5925 5926 38d4789-38d47a3 call 38d3625 call 38d3b60 5924->5926 5925->5922 5925->5923 5931 38d47a5-38d47ad 5926->5931 5932 38d47b1-38d47c9 5926->5932 5931->5924 5933 38d47af 5931->5933 5932->5925 5933->5925
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038D4812), ref: 038D46E6
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038D4812), ref: 038D46F3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HandleLibraryLoadModule
                                                                                                                                                                                                                            • String ID: ntdl
                                                                                                                                                                                                                            • API String ID: 4133054770-3973061744
                                                                                                                                                                                                                            • Opcode ID: 3c3ceed9b72ce6e8a8a8daa4fb77b2b40dc725800806252ad6d9e023258f90d2
                                                                                                                                                                                                                            • Instruction ID: c4a6a0c13cd67529821c6637e3054774a4125b3811f6dc267220395f45cf192e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3c3ceed9b72ce6e8a8a8daa4fb77b2b40dc725800806252ad6d9e023258f90d2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E318B39E00619DBCB24DFAAC490ABDF7B5BF4A714F18029AD411E7741CB35A951CBA0
                                                                                                                                                                                                                            Function 00C3EDE2 Relevance: 4.7, APIs: 3, Instructions: 197COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00C3EF97
                                                                                                                                                                                                                              • Part of subcall function 00C3AC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00C2FB1F,00000000,?,00BE322C,00000000,?,00BD13A5,00000000), ref: 00C3AC47
                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00C3EFAA
                                                                                                                                                                                                                            • __freea.LIBCMT ref: 00C3EFB7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __freea$AllocateHeap
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2243444508-0
                                                                                                                                                                                                                            • Opcode ID: def4646beb06879110160ba585172038fdc0fad1215fd7d470571fb021f46a8b
                                                                                                                                                                                                                            • Instruction ID: 740a33b0376b77ef321ce7ecc1ed929e2af0b833ef0581b040201486b4a9eeca
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: def4646beb06879110160ba585172038fdc0fad1215fd7d470571fb021f46a8b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0651B47262020AAFEF259FA5DC45EBB76A9EF48710F150129FC14D62C1E7B0DD50D7A0
                                                                                                                                                                                                                            Function 00C42F61 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C42A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00C42AC0
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00C42DA5,?,00000000,?,00000000,?), ref: 00C42FC2
                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C42DA5,?,00000000,?,00000000,?), ref: 00C42FFE
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CodeInfoPageValid
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 546120528-0
                                                                                                                                                                                                                            • Opcode ID: 2b8698e9fe920ec3b2ce87b1487b3bc88999c7e60e1700ccbec7b699e8d5bfae
                                                                                                                                                                                                                            • Instruction ID: 754f204d6186198671222cfbf9b5bf8839644b602cb3eeba236e58731b5c414e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b8698e9fe920ec3b2ce87b1487b3bc88999c7e60e1700ccbec7b699e8d5bfae
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB512370A003959EDB21CF76C8826AFBBF4FF81310F14466ED1A68B251E7759B46CB50
                                                                                                                                                                                                                            Function 00C3E1D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LCMapStringEx.KERNELBASE(?,00C3EED2,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00C3E207
                                                                                                                                                                                                                            • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00C3EED2,?,?,-00000008,?,00000000), ref: 00C3E225
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: String
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2568140703-0
                                                                                                                                                                                                                            • Opcode ID: f4fb0f4a19f4c964aaebdc851d315a0b6994a1110b7bc81e09b083a4a28be125
                                                                                                                                                                                                                            • Instruction ID: 63cf83b91a83b1d6a13e62f72fe778fff9dfe773b45af95a9e6c67327c45b21c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4fb0f4a19f4c964aaebdc851d315a0b6994a1110b7bc81e09b083a4a28be125
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78F07A3601012AFBCF126F91EC05EDE3F2AFF48760F058410FA1926060C732D931AB90
                                                                                                                                                                                                                            Function 038D3536 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,038D518A), ref: 038D353D
                                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 038D3544
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                                            • Opcode ID: 32b5b43fe05da39f0582fcb5144be68787c1bf292f95b5649c5cfffa22793563
                                                                                                                                                                                                                            • Instruction ID: cb830629c0589f55241947f0609f4265aafd0c243396b896f828e326a9a8bda4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 32b5b43fe05da39f0582fcb5144be68787c1bf292f95b5649c5cfffa22793563
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E4B012745035006BEE8C7FE0F90DB3A3728BB00703F0400C8F203D10C4C6A8C8108621
                                                                                                                                                                                                                            Function 00C42B69 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,00C42DA5,?), ref: 00C42B9B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Info
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1807457897-0
                                                                                                                                                                                                                            • Opcode ID: a96a46a913b63da0fad036557026178133c01ad3463fcc3d71d01b5691387830
                                                                                                                                                                                                                            • Instruction ID: 3485bcb7590f6a9fae1268402346e4f50ca63f7b1e264bdfd1c23e505e4f8a85
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a96a46a913b63da0fad036557026178133c01ad3463fcc3d71d01b5691387830
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 005169B19041589BEB118F29CCC5BEABB6CFF15300F6401E9F099D7182C3359E85DB60
                                                                                                                                                                                                                            Function 00C2FB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00C3037B
                                                                                                                                                                                                                              • Part of subcall function 00C3106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00C3038E,?,?,?,?,00C3038E,?,00C58484), ref: 00C310CC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionRaisestdext::threads::lock_error::lock_error
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3447279179-0
                                                                                                                                                                                                                            • Opcode ID: 877fb27ea01724859191a794acfa2a7caa6bc86d26c73459deb44f6f99f26e22
                                                                                                                                                                                                                            • Instruction ID: f2ddb11220b6279f8a0261cef65c86fb9fbd7d88025107a21d41c81abbbf4a12
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 877fb27ea01724859191a794acfa2a7caa6bc86d26c73459deb44f6f99f26e22
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9EF0B43580420DB7CB04BAB5F82AC9D777C9900710F644135BD64A64E2EF30EA89E595
                                                                                                                                                                                                                            Function 00BD1460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00BD1477
                                                                                                                                                                                                                              • Part of subcall function 00BE3D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00BE3D89
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2103942186-0
                                                                                                                                                                                                                            • Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                                                                                                                                                                            • Instruction ID: 598a7f1c6b7dd99fc4a0053c1c931a4bab361a7b2948846b3b98eaaee4915f6c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5EF0B275E01108ABCB14EFA8D595AADF7F5EB48304F1085EAE8059B345E630AA509F85
                                                                                                                                                                                                                            Function 00C3AC15 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00C2FB1F,00000000,?,00BE322C,00000000,?,00BD13A5,00000000), ref: 00C3AC47
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                                                            • Opcode ID: b5dcc4eb078721ccca30b371538d45ef6fb691fe71cdb42b1712608b6b3cfa51
                                                                                                                                                                                                                            • Instruction ID: 0acd824672fd73ccc5eaefa93fa077803be1f848eb21efaa88922e368beb6157
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5dcc4eb078721ccca30b371538d45ef6fb691fe71cdb42b1712608b6b3cfa51
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11E02B35124A2457DB312776BC0179F3F88EF023A0F181120FC94961E0CB62CD10D2A2
                                                                                                                                                                                                                            Function 00C07B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualProtect.KERNELBASE(?,00000007,?,?), ref: 00BE4B9E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                                                                            • Opcode ID: 06bbf5378e77e90afb1b57d0d475e734d21b489a86cb1362776d9bb095624d27
                                                                                                                                                                                                                            • Instruction ID: 78c3bde18d90155b61132fe484d83d95569c9ba1df14d7490b22c7ecbd0a74e2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06bbf5378e77e90afb1b57d0d475e734d21b489a86cb1362776d9bb095624d27
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ACD012FAA1061887CF209B68AC493A7BB78F784317B1411C9E95957142DB3249558F40
                                                                                                                                                                                                                            Function 00BD13B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: allocator
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3447690668-0
                                                                                                                                                                                                                            • Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                                                                                                                                                                            • Instruction ID: 484171b6a73f4cca123c8160bce86be51ed882c634a3a997aed7fe012fb3c03c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05C09B3011410C5B8704DF99E491D5573DD9B887107004155BC0D4B351CB30FD40C554
                                                                                                                                                                                                                            Function 038D407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(038D5051,038D447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038D3ECC), ref: 038D407E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                                            • Opcode ID: 4be20007f981cec41c3ed2e58ea6d91119b6cce7dc30cfbbcffede6dac7e4491
                                                                                                                                                                                                                            • Instruction ID: 7ecfe0548e2ac5679da19e440ceba9e14ac53edd48ff2b46dae22b526e11a2fb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4be20007f981cec41c3ed2e58ea6d91119b6cce7dc30cfbbcffede6dac7e4491
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28A02238030A008BCA2C2B302B2A20E32000E0A3F0B220BCCB033C80C0EA28CAA00000
                                                                                                                                                                                                                            Function 00BF7EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 00BE8B81
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: 314dc8f11f044473ce21fda2b52727bba66855beab7ef9914277ce6dbcc62730
                                                                                                                                                                                                                            • Instruction ID: 07ecaf96bbc3d31cf0c13c8f5c4bcebf708e4c716d029cd7af6386e531b87b3f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 314dc8f11f044473ce21fda2b52727bba66855beab7ef9914277ce6dbcc62730
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8521E4B5C059688BDB62CF28CD817ADB7B5EF56340F1092C6D40D6A242DB315BC19F10

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 038D3EFC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 038D407D: GetFileAttributesW.KERNELBASE(038D5051,038D447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038D3ECC), ref: 038D407E
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 038D3F5D
                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(038D1710,?), ref: 038D3FFE
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                                                                                                                                                                                                                            • String ID: %s%s$%s\%s$%s\*
                                                                                                                                                                                                                            • API String ID: 674214967-2064654797
                                                                                                                                                                                                                            • Opcode ID: 596ff4c453ca2a46af00b8fac3ac50ba72189cc572d9e2ba24dcae7537bdc263
                                                                                                                                                                                                                            • Instruction ID: 3ef3f898b11d10c84f056abf2293a910994c8f053847a8b6bc13911bdc62d76b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 596ff4c453ca2a46af00b8fac3ac50ba72189cc572d9e2ba24dcae7537bdc263
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D31B579A003196BDB61EAD9AC45ABDB7759F40210F0801E4EC05EB2D0DFB58E46CB93
                                                                                                                                                                                                                            Function 00C45458 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,00C4576A,00000002,00000000,?,?,?,00C4576A,?,00000000), ref: 00C454F1
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,00C4576A,00000002,00000000,?,?,?,00C4576A,?,00000000), ref: 00C4551A
                                                                                                                                                                                                                            • GetACP.KERNEL32(?,?,00C4576A,?,00000000), ref: 00C4552F
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                                                                                                            • Opcode ID: 7d5edabec91ddc62402280e99383f60ebbabe3b70169681a31664db26d581195
                                                                                                                                                                                                                            • Instruction ID: 7d49907e9d3a9f2ec5208ad947d97200cbce732e2dc1d7a68a67c434105e90a6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d5edabec91ddc62402280e99383f60ebbabe3b70169681a31664db26d581195
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3121DE32A00904ABDB308F55D905BAB73B7FB54F61B668424E91ADB112F732DF80C750
                                                                                                                                                                                                                            Function 00C45634 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00C4573C
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00C4577A
                                                                                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00C4578D
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00C457D5
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00C457F0
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 415426439-0
                                                                                                                                                                                                                            • Opcode ID: fbc2da0925b95b468b4ebb76d73c1570e436628f687d7786bae44c9331154225
                                                                                                                                                                                                                            • Instruction ID: 160f485c83840bdcdbb2d563c0ea9874fabfaca752ff91f98acde99c75956161
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fbc2da0925b95b468b4ebb76d73c1570e436628f687d7786bae44c9331154225
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D517E75A10A19AFEB20DFA5DC41BBE77B8BF09700F144429F911E7192EB709A44CB61
                                                                                                                                                                                                                            Function 00C44CBF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • GetACP.KERNEL32(?,?,?,?,?,?,00C389B1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00C44D7E
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00C389B1,?,?,?,00000055,?,-00000050,?,?), ref: 00C44DB5
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00C44F18
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                                                                                                            • String ID: utf8
                                                                                                                                                                                                                            • API String ID: 607553120-905460609
                                                                                                                                                                                                                            • Opcode ID: a80158a66bb2529d4a1e2e059713d833e9721a14602a2a157e68dd381a1b7cce
                                                                                                                                                                                                                            • Instruction ID: 52e1379b26d9a99d12f3475c20c33291e74ad067729dee273c986de7b1e61767
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a80158a66bb2529d4a1e2e059713d833e9721a14602a2a157e68dd381a1b7cce
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D71F531A00606AAEB2DEB74DC42BABB7E8FF45710F254429F925D71C1EB70EA409761
                                                                                                                                                                                                                            Function 038D40BA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 038D410D
                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(000000FF,?), ref: 038D4159
                                                                                                                                                                                                                              • Part of subcall function 038D3536: GetProcessHeap.KERNEL32(00000000,00000000,038D518A), ref: 038D353D
                                                                                                                                                                                                                              • Part of subcall function 038D3536: RtlFreeHeap.NTDLL(00000000), ref: 038D3544
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileFindHeap$FirstFreeNextProcess
                                                                                                                                                                                                                            • String ID: %s\%s$%s\*
                                                                                                                                                                                                                            • API String ID: 1689202581-2848263008
                                                                                                                                                                                                                            • Opcode ID: e70e2476188887d25fc015e13056c9fd0c4bd7fbc8d43baadc6a6bd635aead5b
                                                                                                                                                                                                                            • Instruction ID: 1a5e40a5f9b736ab593b03591933bb4f22804a8093bf93c499868055043c6c00
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e70e2476188887d25fc015e13056c9fd0c4bd7fbc8d43baadc6a6bd635aead5b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0531A6387003189BCB20EFEADC84A6EBBA9AF55340F1440E9D905CB241EF748E55CB92
                                                                                                                                                                                                                            Function 00C30495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00C304A1
                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00C3056D
                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C30586
                                                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00C30590
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                                                                            • Opcode ID: e26e9059592f522b6b03ebcb51a299c4f42e58da32e5864721c1ec34e99636ff
                                                                                                                                                                                                                            • Instruction ID: 18d19cda45e90b63cd0dc45d993c8588738d5fb13f048a94813a7254e1fc3704
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e26e9059592f522b6b03ebcb51a299c4f42e58da32e5864721c1ec34e99636ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8931E5B5D112289BDB21DFA4D9497CEBBB8BF08300F1041AAE50DAB250EB749B849F45
                                                                                                                                                                                                                            Function 00C450DC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C45130
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C4517A
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C45240
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 661929714-0
                                                                                                                                                                                                                            • Opcode ID: 1c8929529a35232956e474a2c3a6300c60cf6feceaac823b8fa21977df142088
                                                                                                                                                                                                                            • Instruction ID: f7a7c1add84fd501e974865d09f6b285f259ec8e09f0c6eb6c587d45bd3f4260
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c8929529a35232956e474a2c3a6300c60cf6feceaac823b8fa21977df142088
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C61AD71910A179FEB289F28CC82BAA77B8FF04340F10416AE915C6196E7B4EA81DB50
                                                                                                                                                                                                                            Function 00C34383 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00C3447B
                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00C34485
                                                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00C34492
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                                                                            • Opcode ID: 4201f53c130a5649a4016311a42eca2fc6eef8a0e58784ca9baae2527b07f445
                                                                                                                                                                                                                            • Instruction ID: f70ac7ea8f4d548cd96f0d7c0d0d7c43247f49bb031ef9a7cf82fdebb39aff0c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4201f53c130a5649a4016311a42eca2fc6eef8a0e58784ca9baae2527b07f445
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A231C3759113289BCB21DF64D88978DBBB8BF08311F6042EAE41CA7250E7749F858F44
                                                                                                                                                                                                                            Function 00C3013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00C30152
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                                                                                            • Opcode ID: 84fd3c0117a415ebf1e6bdd40e175c0b37585865a1d15a4dd05ef86b1ec6c40a
                                                                                                                                                                                                                            • Instruction ID: 38dbb124e676ce6ff8dac5f3199135be09a979f878189b4fc90321cd8a362545
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84fd3c0117a415ebf1e6bdd40e175c0b37585865a1d15a4dd05ef86b1ec6c40a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1651C0B29217058FDB25CF65D8957AEBBF0FB48311F24812AE416EB2A1D3749E80CB50
                                                                                                                                                                                                                            Function 00C4532F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C45383
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                                                            • Opcode ID: c4e8d8a10c03b8478be31bd7755902794b0c6972f9d3a2fe9093a1a64d731f78
                                                                                                                                                                                                                            • Instruction ID: 1c49b212dc1a9f607e4e9e226825be3b4a0f554cb19e6d39ef3893e7d2477bdd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4e8d8a10c03b8478be31bd7755902794b0c6972f9d3a2fe9093a1a64d731f78
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6621C272A10606ABEB289F29DC82BBA37E8FF44355F10407AFD01D6152EBB4ED45D750
                                                                                                                                                                                                                            Function 00C44FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00C450DC,00000001,00000000,?,-00000050,?,00C45710,00000000,?,?,?,00000055,?), ref: 00C45028
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: 98bae0a454fa5b9e0cf0a13ae9dafdf7a932e642eac6122b0ce49d0dc9bbdba9
                                                                                                                                                                                                                            • Instruction ID: 18a79f26037f8fbeebe7674e2ea3a95acb60ab0ed4827fa4167138db66543829
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98bae0a454fa5b9e0cf0a13ae9dafdf7a932e642eac6122b0ce49d0dc9bbdba9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6511483B2007059FDB289F38D8916BABB92FF84358B14442CEA8787B41D771B943C780
                                                                                                                                                                                                                            Function 00C4555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00C452F8,00000000,00000000,?), ref: 00C4558A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                                                            • Opcode ID: f7290cb2d02c67e68e46cddf249bb9b044238e6fcbfdb06ff4535d8835ae7b93
                                                                                                                                                                                                                            • Instruction ID: c97acf3e575d1455f2b2c2bdc7c241a27d6b1466c00cdf9f49d03ded453e973f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7290cb2d02c67e68e46cddf249bb9b044238e6fcbfdb06ff4535d8835ae7b93
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C501F936A00612BFDB289A25CC05BBB3765FF40754F154429EC17E3181EA30FF41D690
                                                                                                                                                                                                                            Function 00C45051 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00C4532F,00000001,00000000,?,-00000050,?,00C456D8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00C4509B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: 0ba870ae43c5eb5c0db196f378aff5f69bebba3d6f91a72d8ef8fcb364ba5070
                                                                                                                                                                                                                            • Instruction ID: 04e057570b6c6897e0ff0359c56a93d793036cf04ac50e00ccecce12ee8f026e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ba870ae43c5eb5c0db196f378aff5f69bebba3d6f91a72d8ef8fcb364ba5070
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0F0F63A300B045FDB246F399881A7B7BA1FF84368F05442DF9464B691D6B19D42D790
                                                                                                                                                                                                                            Function 00C3DBC7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C349CA: EnterCriticalSection.KERNEL32(-00C5B8A8,?,00C376D7,00000000,00C58C40,0000000C,00C3769F,?,?,00C3DB90,?,?,00C3AA8E,00000001,00000364,00000000), ref: 00C349D9
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00C3DBBA,00000001,00C58E30,0000000C,00C3DF92,00000000), ref: 00C3DBFF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1272433827-0
                                                                                                                                                                                                                            • Opcode ID: 20363fe89151c5ce7dab9382626038d1c23fe3b1fba66c55db5e88a61cb5ca1d
                                                                                                                                                                                                                            • Instruction ID: 9944d9b39b874aac9400ba775a78f9a25e713d015768ab1727a5592f95412392
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20363fe89151c5ce7dab9382626038d1c23fe3b1fba66c55db5e88a61cb5ca1d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFF03C76A20314DFD700EF58E802B9D7BB0FB08721F10412AE501A72A1CBB95D40DB40
                                                                                                                                                                                                                            Function 00C44F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: GetLastError.KERNEL32(?,?,00C371B7,?,?,?,?,00000003,00C34382,?,00C342F1,?,00000000,00C34500), ref: 00C3A8F4
                                                                                                                                                                                                                              • Part of subcall function 00C3A8F0: SetLastError.KERNEL32(00000000,00000000,00C34500,?,?,?,?,?,00000000,?,?,00C3459E,00000000,00000000,00000000,00000000), ref: 00C3A996
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00C44EC4,00000001,00000000,?,?,00C45732,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00C44FA2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: aa04ba75164a09acca980381f2cf8880c2b259ce9a3e9a21d75eed3bee6edd00
                                                                                                                                                                                                                            • Instruction ID: 1b6f71dff1183f80c8d73ea406914346ef677b37b104d39edffb34797fdeda70
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa04ba75164a09acca980381f2cf8880c2b259ce9a3e9a21d75eed3bee6edd00
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2F0E53A7002455BDF089F79D84576ABFA4FFC2710F164059EE058B691C6719982C790
                                                                                                                                                                                                                            Function 00C3E096 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00C39527,?,20001004,00000000,00000002,?,?,00C38B19), ref: 00C3E0CA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                                                                            • Opcode ID: aae4cb6ec4a486a157f192775db34f070e6831f73bf8d948d89fb3c6d753dfdc
                                                                                                                                                                                                                            • Instruction ID: f9cd2e0af827a8a9b4ce3f1feab71a9d17a4bcdf0963edf4e976ace2b78c1f9e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aae4cb6ec4a486a157f192775db34f070e6831f73bf8d948d89fb3c6d753dfdc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBE01A35510128BBCB162F61EC04B9E3A2AFB44750F044410FC05661A18B729920BB95
                                                                                                                                                                                                                            Function 00C30622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,00C2FC56), ref: 00C30627
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                                                                            • Opcode ID: 9dd7193736239cbe7e4b5f105df5fdbae86581c9087511d288db7b3b70f21301
                                                                                                                                                                                                                            • Instruction ID: 13ad7e534e2515c1113bc89c61001eb85c241244346dd7900103d9e59cc783a5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9dd7193736239cbe7e4b5f105df5fdbae86581c9087511d288db7b3b70f21301
                                                                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                                                                            Function 00C45891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                                                            • Opcode ID: 1dacd9dcbd36a37896cc7af79315a71676f3349245c6193be88698357415e1ed
                                                                                                                                                                                                                            • Instruction ID: 8bffe76f654a6289477a691cbea95e3941b2875bafa624a8e02bc6bd95ed191b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1dacd9dcbd36a37896cc7af79315a71676f3349245c6193be88698357415e1ed
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28A00278511215CB57504F755F0930D3AE5B545591B0541555405D5160D73444509A01
                                                                                                                                                                                                                            Function 038D42EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,038D4574), ref: 038D4305
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 038D430E
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,038D4574), ref: 038D431F
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 038D4322
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,038D4574), ref: 038D43A4
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(038D4574,00000000,00000000,00000002,?,?,?,?,038D4574), ref: 038D43C0
                                                                                                                                                                                                                            • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,038D4574), ref: 038D43CF
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(038D4574,?,?,?,?,038D4574), ref: 038D43FF
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(038D4574,00000000,00000000,00000001,?,?,?,?,038D4574), ref: 038D440D
                                                                                                                                                                                                                            • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,038D4574), ref: 038D441C
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,038D4574), ref: 038D442F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 038D4452
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 038D445A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
                                                                                                                                                                                                                            • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                                                                                                                                                                                                                            • API String ID: 3110323036-2044536123
                                                                                                                                                                                                                            • Opcode ID: 22c6886801057d1d9533cb11728ae25936ae84c2f0d9bdb317e998b63080b423
                                                                                                                                                                                                                            • Instruction ID: 35fe7fbbfe42179b061d32a594a08174c72a6129b1cd11d6f7427faed562e65b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22c6886801057d1d9533cb11728ae25936ae84c2f0d9bdb317e998b63080b423
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55418371A01219ABDB10EFE69C44AAEBBB9EF44710F1841E5F914E3290DB70DE50CBA1
                                                                                                                                                                                                                            Function 00BD3930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                                                                                            • API String ID: 3904239083-1405518554
                                                                                                                                                                                                                            • Opcode ID: 9e1953c1a94ee05f438f399ec4be0c80cf1fd56f15849cc696bcf3ca0b674bba
                                                                                                                                                                                                                            • Instruction ID: 060c2c160df6091e60363ea9d017b53de75b3ed7a3348e869c75a2d48e685b36
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e1953c1a94ee05f438f399ec4be0c80cf1fd56f15849cc696bcf3ca0b674bba
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03218EB0904299DBDF04EBA8D991BBEFBB0FF54308F14499DE4122B782CB741A00D766
                                                                                                                                                                                                                            Function 038D2991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                                                                            • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                                                                                                                                                                                                                            • API String ID: 1302938615-1267642376
                                                                                                                                                                                                                            • Opcode ID: 98c513fe567f2423a6cd73362c94ba26517b758d23fd5353d02cbe85b1947af2
                                                                                                                                                                                                                            • Instruction ID: 15fecc1bcaeefd59154311e779cc8361e307966c98aee5eceee3ab8c57f63fd2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98c513fe567f2423a6cd73362c94ba26517b758d23fd5353d02cbe85b1947af2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E916A70604746CFCB25CF69C48062AFBE5EF85354F284DAEE49AC7661D7B0E881CB51
                                                                                                                                                                                                                            Function 00C332E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00C33400
                                                                                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 00C3350E
                                                                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00C33660
                                                                                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 00C3367B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                            • API String ID: 2751267872-393685449
                                                                                                                                                                                                                            • Opcode ID: 3a7d76fb4eaa8c435effda72fee1f087626b27da86d44a21d5c548ad938d934a
                                                                                                                                                                                                                            • Instruction ID: 3215d3643261f8971d7209ae0c86d67f8503ca3c23c27cc7d1bf17ea1eb2ce31
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a7d76fb4eaa8c435effda72fee1f087626b27da86d44a21d5c548ad938d934a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8B16871920299EFCF29DFA4C8829AEBBB5BF08310F14455AF8216B212C735DB51DF91
                                                                                                                                                                                                                            Function 00C41338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-3907804496
                                                                                                                                                                                                                            • Opcode ID: 04b73e471453051632bc4e3d0008fcae354e743288b72fb17820ae7c4ee6f296
                                                                                                                                                                                                                            • Instruction ID: 5f4bbd973bde35d54bb0549b8043f2b44e612a422e4d3478291a25afe5160df3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04b73e471453051632bc4e3d0008fcae354e743288b72fb17820ae7c4ee6f296
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2B1D074E042499FDB11DFA9C881BED7BB1BF85350F1C4158E9A59B292C7B0DE82CB60
                                                                                                                                                                                                                            Function 038D1F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetUserDefaultUILanguage.KERNEL32 ref: 038D1F90
                                                                                                                                                                                                                            • GetKeyboardLayoutList.USER32(00000032,?), ref: 038D1FF2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DefaultKeyboardLanguageLayoutListUser
                                                                                                                                                                                                                            • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                                                                                                                                                                                                                            • API String ID: 167087913-619012376
                                                                                                                                                                                                                            • Opcode ID: 2109a9c1999b841452ae13152a99ed52a4bde00fdeb7650f1c3ce03359d182a1
                                                                                                                                                                                                                            • Instruction ID: 2d71485b0d6bd1fe6ff939e642897692c4a4eeac429046dd2df9c8afcb308f61
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2109a9c1999b841452ae13152a99ed52a4bde00fdeb7650f1c3ce03359d182a1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D319F54E08298AAEB019FE8A4017FDBB70AF14305F4054D6F588FA282D7BD4B45C76A
                                                                                                                                                                                                                            Function 00C3DD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,42A6EBB4,?,00C3DEA3,00000000,00BD13A5,00000000,00000000), ref: 00C3DE55
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                            • API String ID: 3664257935-537541572
                                                                                                                                                                                                                            • Opcode ID: 74f4d70624e32473e61f9d4c4e490ba621ba230fac86c9d7d6e04763a97261da
                                                                                                                                                                                                                            • Instruction ID: ff8644532212b7bd0e314af8dd9c38cc267212c1b52e8b0e14341249e2644a85
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74f4d70624e32473e61f9d4c4e490ba621ba230fac86c9d7d6e04763a97261da
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E021B775A11221ABC731AB65FC45B5F7B69EB567A1F240120FD27AB2D0D730EE00C6E0
                                                                                                                                                                                                                            Function 00C2E516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00C2E51D
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00C2E527
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 00C2E53E
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::_Lockit.LIBCPMT ref: 00BD46E6
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00BD4710
                                                                                                                                                                                                                            • codecvt.LIBCPMT ref: 00C2E561
                                                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 00C2E578
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00C2E598
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00C2E5A5
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2133458128-0
                                                                                                                                                                                                                            • Opcode ID: 3114c238fc8d031a0556a5c3f1046089c88bfa9ca5284889391069ba5dfd3510
                                                                                                                                                                                                                            • Instruction ID: a19d7d74607178d8d6f09534612635f5002ff9391aa60479d6622417ffdcc947
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3114c238fc8d031a0556a5c3f1046089c88bfa9ca5284889391069ba5dfd3510
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5311E1B69102289FCB10EBA4E8467AEB7F5FF84720F100459F405A7691EFB0AE018B81
                                                                                                                                                                                                                            Function 00C2D7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00C2D7AF
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00C2D7B9
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 00C2D7D0
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::_Lockit.LIBCPMT ref: 00BD46E6
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00BD4710
                                                                                                                                                                                                                            • codecvt.LIBCPMT ref: 00C2D7F3
                                                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 00C2D80A
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00C2D82A
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00C2D837
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2133458128-0
                                                                                                                                                                                                                            • Opcode ID: c04a812b8f7c5a9c352af9fddcee3261168470f212b8e6aa0ef0528e065711d6
                                                                                                                                                                                                                            • Instruction ID: 7e9496232365837dfce98e11e1bf042cfe5b9c44651b8a3f7681d44fa2cfb865
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c04a812b8f7c5a9c352af9fddcee3261168470f212b8e6aa0ef0528e065711d6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F201F57A90022A9BCB05EB60ED45BBEB7B1FF94710F240049E4126B6D2CF749E05DBD1
                                                                                                                                                                                                                            Function 00C2F8DE Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00C2F927
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00C2F992
                                                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C2F9AF
                                                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00C2F9EE
                                                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C2FA4D
                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00C2FA70
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ByteCharMultiStringWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2829165498-0
                                                                                                                                                                                                                            • Opcode ID: c319a4ef3e71fbcc0b37a68091fe4f396aead65c17dfe3c02b54a3ecf80c520e
                                                                                                                                                                                                                            • Instruction ID: 1d415907b350b5193da29a227ba5586f68869687d7a2ce84279a2eff7f61a1c5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c319a4ef3e71fbcc0b37a68091fe4f396aead65c17dfe3c02b54a3ecf80c520e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D519D7250022EEBEF209FA4EC45FAF7BB9EB44750F104139F919A6550D7708D12EB50
                                                                                                                                                                                                                            Function 038D3084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: x
                                                                                                                                                                                                                            • API String ID: 0-2363233923
                                                                                                                                                                                                                            • Opcode ID: 9cff268fb96ae4f444a9d93f84febed5732fd4ba473fc6a1cbd55c7d7aa49c56
                                                                                                                                                                                                                            • Instruction ID: 29d573e18b959c127aa74c54740f05a3666bb586326da8f2131f9aebed9c3548
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9cff268fb96ae4f444a9d93f84febed5732fd4ba473fc6a1cbd55c7d7aa49c56
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2102B278E04209EFCB45CFA8D984AADB7F4FF09305F048495E866EB250D7B4AA11CF52
                                                                                                                                                                                                                            Function 00C32FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00C32FA1,00C316DC,00C30672), ref: 00C32FB8
                                                                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C32FC6
                                                                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C32FDF
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00C32FA1,00C316DC,00C30672), ref: 00C33031
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                                                                            • Opcode ID: 6477046241aa661dd4d55f7d0cc6bb57e9eb996a8442bc27c52c995f8465c1a6
                                                                                                                                                                                                                            • Instruction ID: 8a1326f8e94607051af226cb9ca92c3aba6599b26473d279bba4f271872e3204
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6477046241aa661dd4d55f7d0cc6bb57e9eb996a8442bc27c52c995f8465c1a6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1C017B3623D7716EAB3C2BB57D85B2F3659EB95771F200329F421A50E0EF115D80A245
                                                                                                                                                                                                                            Function 00C380CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,42A6EBB4,?,?,00000000,00C48AEC,000000FF,?,00C380A8,?,?,00C3807C,00000000), ref: 00C38101
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C38113
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00C48AEC,000000FF,?,00C380A8,?,?,00C3807C,00000000), ref: 00C38135
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                            • Opcode ID: 1bea365608999bb4cc5e3115e91ff00ecbf179a53fc5769b1a79f3cb93a70add
                                                                                                                                                                                                                            • Instruction ID: 60f53c142f4c68d014cb9f360b965f39f3b92444f73458bf85677476c714e90c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1bea365608999bb4cc5e3115e91ff00ecbf179a53fc5769b1a79f3cb93a70add
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F101D635910625EFCB119F54CC09BAFBBB8FB09B11F000529F822A22D0DF799D00CA60
                                                                                                                                                                                                                            Function 00BD1E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00BD1E40
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 00BD1E59
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::_Lockit.LIBCPMT ref: 00BD46E6
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00BD4710
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00BD1E99
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00BD1F01
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3053331623-0
                                                                                                                                                                                                                            • Opcode ID: bfd4add74a7533b32bc971a5637a431947833c72663f90b476ce6234b3ec42de
                                                                                                                                                                                                                            • Instruction ID: 8aa4ac28f8db97f99c3b6ecda45a9c6567feeda9c3b8afde83bb84c8a960d0f6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfd4add74a7533b32bc971a5637a431947833c72663f90b476ce6234b3ec42de
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16310CB5D00249DBCB04DF98D991BEEFBF0BF58310F204699E915A7391EB345A44CBA1
                                                                                                                                                                                                                            Function 00BD1F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00BD1F40
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 00BD1F59
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::_Lockit.LIBCPMT ref: 00BD46E6
                                                                                                                                                                                                                              • Part of subcall function 00BD46D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00BD4710
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00BD1F99
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00BD2001
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3053331623-0
                                                                                                                                                                                                                            • Opcode ID: 74f72229dc224655c2ad57ee89db36fe35d5c3f2a3535743f4e0375607331eb1
                                                                                                                                                                                                                            • Instruction ID: 916a3475cae365ab80eb2b7ece9d0ff6c0bebd9fb5d11291f2b9de5c6053fb53
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74f72229dc224655c2ad57ee89db36fe35d5c3f2a3535743f4e0375607331eb1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0312AB5D00249DBCB04EFA8D991BEEFBF0BF48310F204699E41567391EB345A44CBA1
                                                                                                                                                                                                                            Function 00C2CE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00C2CE44
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00C2CE4F
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00C2CEBD
                                                                                                                                                                                                                              • Part of subcall function 00C2CFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00C2CFB8
                                                                                                                                                                                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 00C2CE6A
                                                                                                                                                                                                                            • _Yarn.LIBCPMT ref: 00C2CE80
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1088826258-0
                                                                                                                                                                                                                            • Opcode ID: e946f24960a2b78d050b78e20e345fb63b0083bb829390417dd45f46621db021
                                                                                                                                                                                                                            • Instruction ID: 030231acc40b7aa27f664b15ddf5c820bfbc3d15116a5df16989415fbc881b1d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e946f24960a2b78d050b78e20e345fb63b0083bb829390417dd45f46621db021
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A018F79A006219BCB09EB60E8A577E7B62FF89740B150009E81257782CF786E46DBC5
                                                                                                                                                                                                                            Function 00C34072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00C34023,00000000,?,00C5B824,?,?,?,00C341C6,00000004,InitializeCriticalSectionEx,00C4B270,InitializeCriticalSectionEx), ref: 00C3407F
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00C34023,00000000,?,00C5B824,?,?,?,00C341C6,00000004,InitializeCriticalSectionEx,00C4B270,InitializeCriticalSectionEx,00000000,?,00C33F7D), ref: 00C34089
                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00C340B1
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                            • Opcode ID: 41322d9b2aa52f51fc8118b76a0d487919f33926a86296dce2c82b144a3ed8fa
                                                                                                                                                                                                                            • Instruction ID: e88c740eb9a7601ebd37d0c31655a7307e1d41a5be3506e7fabcf63d86d80081
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41322d9b2aa52f51fc8118b76a0d487919f33926a86296dce2c82b144a3ed8fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AE04F34790214BBEF342F60EC06B5E3BA4EB11B50F104020FE4CE80E1DBB2E95499D9
                                                                                                                                                                                                                            Function 00C3F497 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(42A6EBB4,00000000,00000000,00000000), ref: 00C3F4FA
                                                                                                                                                                                                                              • Part of subcall function 00C41EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C3EF8D,?,00000000,-00000008), ref: 00C41F1E
                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C3F74C
                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C3F792
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00C3F835
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2112829910-0
                                                                                                                                                                                                                            • Opcode ID: c119a80c5b83c03fdb7493623d079d67446bd58b4f9caaa6eec7dfbfbee8ce85
                                                                                                                                                                                                                            • Instruction ID: 2d3b246f1dd4b9fb93743a0491baabcaf32645a80da8f41101618116716b24ea
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c119a80c5b83c03fdb7493623d079d67446bd58b4f9caaa6eec7dfbfbee8ce85
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43D17B79D102589FCF15CFA8D880AADBBB5FF09314F24452EE866EB351D730A942CB50
                                                                                                                                                                                                                            Function 00C3308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1740715915-0
                                                                                                                                                                                                                            • Opcode ID: 11531362fbef8091132aa4f182c54f23902fb1c2c83890b770b5a39446f41d70
                                                                                                                                                                                                                            • Instruction ID: 7e6f38de4d4b11995536375e843d0ef5ab0a7b95c6b0f106d17a192ac70a2c38
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11531362fbef8091132aa4f182c54f23902fb1c2c83890b770b5a39446f41d70
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A5123766242869FDB289F11D851BBEB7A4EF40300F24442DEC12972A1D731EF85DB90
                                                                                                                                                                                                                            Function 00C4227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00C41EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C3EF8D,?,00000000,-00000008), ref: 00C41F1E
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00C422DE
                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00C422E5
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 00C4231F
                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00C42326
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1913693674-0
                                                                                                                                                                                                                            • Opcode ID: 4fc6571f76563c8e8268ba078ade8d671173f5eb6c37b6cae77f5fa635f7f6ba
                                                                                                                                                                                                                            • Instruction ID: 4a0dd84be4c6bf3ff4868b3cb8423db697904927b6d5b85b214c4847b8712705
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4fc6571f76563c8e8268ba078ade8d671173f5eb6c37b6cae77f5fa635f7f6ba
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1221D171600615AFDB20AF62888296FBBBDFF043647508918F829C7260D774EE40ABA0
                                                                                                                                                                                                                            Function 00C37478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 0c335b1d111f240f9f230e42f8695e37e01fa73fc3642601650ef7cd0bf005c9
                                                                                                                                                                                                                            • Instruction ID: 9ed0d772604381dc1f14f895443bd21796b2080448e047110b516226ae968d1e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c335b1d111f240f9f230e42f8695e37e01fa73fc3642601650ef7cd0bf005c9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C621C3B1628619AFDB34AF75DC40A6B7BA9FF44364F108718F825C7560E770EE009BA0
                                                                                                                                                                                                                            Function 00C4321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00C43226
                                                                                                                                                                                                                              • Part of subcall function 00C41EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C3EF8D,?,00000000,-00000008), ref: 00C41F1E
                                                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C4325E
                                                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C4327E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 158306478-0
                                                                                                                                                                                                                            • Opcode ID: 87487ab9690492d1f840662ac0ebf2ad53c8adf36c8d523e845c5b71db9453ac
                                                                                                                                                                                                                            • Instruction ID: 7db16ede161e1f584634db9a4cac7555106b72657be479ede9777f7af176b71a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 87487ab9690492d1f840662ac0ebf2ad53c8adf36c8d523e845c5b71db9453ac
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D011C4B55015567F67213BB65C8EDAF7DACFEC93A87100554FC4291102EA74CF41A1B2
                                                                                                                                                                                                                            Function 00C47C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00C46B6B,00000000,00000001,0000000C,00000000,?,00C3F889,00000000,00000000,00000000), ref: 00C47C52
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00C46B6B,00000000,00000001,0000000C,00000000,?,00C3F889,00000000,00000000,00000000,00000000,00000000,?,00C3FE2C,?), ref: 00C47C5E
                                                                                                                                                                                                                              • Part of subcall function 00C47C24: CloseHandle.KERNEL32(FFFFFFFE,00C47C6E,?,00C46B6B,00000000,00000001,0000000C,00000000,?,00C3F889,00000000,00000000,00000000,00000000,00000000), ref: 00C47C34
                                                                                                                                                                                                                            • ___initconout.LIBCMT ref: 00C47C6E
                                                                                                                                                                                                                              • Part of subcall function 00C47BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C47C15,00C46B58,00000000,?,00C3F889,00000000,00000000,00000000,00000000), ref: 00C47BF9
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00C46B6B,00000000,00000001,0000000C,00000000,?,00C3F889,00000000,00000000,00000000,00000000), ref: 00C47C83
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                                                                                            • Opcode ID: acc1cf2db2a4659e4f7714538839991fd3278d43543d8e6a6a06a69c77036b97
                                                                                                                                                                                                                            • Instruction ID: 7a1ae4e3042df41f6f79cd44f69cbaeca45c8ad0a740f2ef3512d388ee59b1b2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: acc1cf2db2a4659e4f7714538839991fd3278d43543d8e6a6a06a69c77036b97
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8CF0AC3A505225BBDF221FD5DC08B9E3F66FB497A1F054150FA1995120C7328960EF91
                                                                                                                                                                                                                            Function 038D2C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 038D3508: EnterCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D3512
                                                                                                                                                                                                                              • Part of subcall function 038D3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038D51B7), ref: 038D351B
                                                                                                                                                                                                                              • Part of subcall function 038D3508: RtlAllocateHeap.NTDLL(00000000,?,?,038D51B7), ref: 038D3522
                                                                                                                                                                                                                              • Part of subcall function 038D3508: LeaveCriticalSection.KERNEL32(038D84D4,?,?,038D51B7), ref: 038D352B
                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 038D2E3D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3288875446.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_38d0000_77CD.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                                                                                                                                                                                                                            • String ID: x
                                                                                                                                                                                                                            • API String ID: 1990697408-2363233923
                                                                                                                                                                                                                            • Opcode ID: 58461ff15b377d46da4898cc24bcdd9b5af4ef1e9865261cfe7d1ece1eaf74a8
                                                                                                                                                                                                                            • Instruction ID: 5a0082fe447c29ed11cd1bf4931d8d45a4fc8eb9cc8542fa6aaac350c83dc9ba
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58461ff15b377d46da4898cc24bcdd9b5af4ef1e9865261cfe7d1ece1eaf74a8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C302AC74A0424DEFCF11CFA8D984AADBBF0FF09314F148895E865EB254D774AA81CB61
                                                                                                                                                                                                                            Function 00C3BBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00C3BC8D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                                                                                            • String ID: pow
                                                                                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                            • Opcode ID: 636c5a80f40b0f362b1f9b8dfd7ffdc6686155f0c8f1d48f002e6feb51d706cb
                                                                                                                                                                                                                            • Instruction ID: 2316b1ed7e66511c91c8143c34f0e376a4c8b99c6508275efc66a6517e1adafc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 636c5a80f40b0f362b1f9b8dfd7ffdc6686155f0c8f1d48f002e6feb51d706cb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F51AE71A3510196C7217B14FDC13BE7B90EB40700F249D59F4A6922F9EF318ED1AB46
                                                                                                                                                                                                                            Function 00C32DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00C32DEF
                                                                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00C32EA3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 3480331319-1018135373
                                                                                                                                                                                                                            • Opcode ID: af79cdb1c02edb237a7f38be6a905b8a06039f164708b2f4890f1d6102669201
                                                                                                                                                                                                                            • Instruction ID: ed5d91ef4baf8b4f4ff126f8798ce5768575a92d26a62b2effbed82c417f8ab8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: af79cdb1c02edb237a7f38be6a905b8a06039f164708b2f4890f1d6102669201
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1641F434A20209AFCF10DF69C881B9EBBB1FF45315F148155E8246B392C735EE05CB91
                                                                                                                                                                                                                            Function 00C33686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 00C336AB
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                            • Opcode ID: b63fb0091dd6ac054481012d8e9fd2d99ba69a35737380bfd97f0e5a211cc4f5
                                                                                                                                                                                                                            • Instruction ID: 77e5d43224e747c512773b232e261a7baefef14d284e807fc501c42cff15683e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b63fb0091dd6ac054481012d8e9fd2d99ba69a35737380bfd97f0e5a211cc4f5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B34169B2910249AFDF15DF98CD82AEEBBB5FF49300F188199F914A7221D335AA50DF50
                                                                                                                                                                                                                            Function 00C2C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 00C2C9E8
                                                                                                                                                                                                                            • task.LIBCPMTD ref: 00C2C9F6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 00C2C92A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3287219205.0000000000BD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287185983.0000000000BD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287290083.0000000000C49000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287324733.0000000000C5A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287359465.0000000000C5B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3287412401.0000000000C5C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_bd0000_77CD.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Concurrency::task_continuation_context::task_continuation_contexttask
                                                                                                                                                                                                                            • String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
                                                                                                                                                                                                                            • API String ID: 605201214-2946796713
                                                                                                                                                                                                                            • Opcode ID: 2699b2f28a7ea9901b2fe0fe4de62b74a3383d5e99dda2808161b5db2f24f0f1
                                                                                                                                                                                                                            • Instruction ID: c421570d48e65fca3f8059813c19dd1195bdd9498719d97125d84644d6575f79
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2699b2f28a7ea9901b2fe0fe4de62b74a3383d5e99dda2808161b5db2f24f0f1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2931F771D041299BCB04DF98D992BEEBBB1FF48300F20816AE415B7781DB756A40DBA1