Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe

Overview

General Information

Sample name:37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe
Analysis ID:1466523
MD5:c280b435ae8e9bcf43b221df43e9fc65
SHA1:5185a39475de9e0b98f1faba04a9e3bf9e3d5d76
SHA256:fa39d4dbbf0828f381cf30adfb6b5f3c207e86d22eccbfcc4d4ecd90573e4b6b
Tags:exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe" MD5: C280B435AE8E9BCF43B221DF43E9FC65)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • DBD3.exe (PID: 7704 cmdline: C:\Users\user\AppData\Local\Temp\DBD3.exe MD5: BD2EAC64CBDED877608468D86786594A)
      • FD47.exe (PID: 7772 cmdline: C:\Users\user\AppData\Local\Temp\FD47.exe MD5: 60172CA946DE57C3529E9F05CC502870)
        • setup.exe (PID: 5236 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)
          • GamePall.exe (PID: 7564 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 1144 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 5076 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3052 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3632 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 7464 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2344 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 6264 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 4556 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 7008 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5576 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1896 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5224 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 3368 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5932 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5812 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1028 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6260 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 7900 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6820 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2112 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3020 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2484 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • 1B6E.exe (PID: 7888 cmdline: C:\Users\user\AppData\Local\Temp\1B6E.exe MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)
      • GamePall.exe (PID: 5124 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 6332 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
  • etvjrtf (PID: 7568 cmdline: C:\Users\user\AppData\Roaming\etvjrtf MD5: C280B435AE8E9BCF43B221DF43E9FC65)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
      00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
          • 0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.1B6E.exe.165ea20.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            9.2.1B6E.exe.165ea20.1.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              9.2.1B6E.exe.3cd0000.3.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                9.2.1B6E.exe.3cd0000.3.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                  9.2.1B6E.exe.1618320.2.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 5236, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\etvjrtf, CommandLine: C:\Users\user\AppData\Roaming\etvjrtf, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\etvjrtf, NewProcessName: C:\Users\user\AppData\Roaming\etvjrtf, OriginalFileName: C:\Users\user\AppData\Roaming\etvjrtf, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\etvjrtf, ProcessId: 7568, ProcessName: etvjrtf

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: https://foodypannyjsud.shop/api6Avira URL Cloud: Label: malware
                    Source: https://foodypannyjsud.shop/api2Avira URL Cloud: Label: malware
                    Source: http://gebeus.ru/tmp/index.phpAvira URL Cloud: Label: malware
                    Source: https://foodypannyjsud.shop/eAvira URL Cloud: Label: malware
                    Source: https://foodypannyjsud.shop/jAvira URL Cloud: Label: malware
                    Source: http://cx5519.com/tmp/index.phpAvira URL Cloud: Label: malware
                    Source: contintnetksows.shopAvira URL Cloud: Label: malware
                    Source: http://evilos.cc/tmp/index.phpAvira URL Cloud: Label: malware
                    Source: https://foodypannyjsud.shop/obAvira URL Cloud: Label: malware
                    Source: ellaboratepwsz.xyzAvira URL Cloud: Label: malware
                    Source: https://foodypannyjsud.shop/apidAvira URL Cloud: Label: malware
                    Source: swellfrrgwwos.xyzAvira URL Cloud: Label: malware
                    Source: https://foodypannyjsud.shop/re1Avira URL Cloud: Label: malware
                    Source: foodypannyjsud.shopAvira URL Cloud: Label: malware
                    Source: https://foodypannyjsud.shop/apiWAvira URL Cloud: Label: malware
                    Source: pedestriankodwu.xyzAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeAvira: detection malicious, Label: HEUR/AGEN.1313486
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeAvira: detection malicious, Label: HEUR/AGEN.1352426
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
                    Found malware configuration
                    Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
                    Source: 9.2.1B6E.exe.165ea20.1.raw.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
                    Source: DBD3.exe.7704.6.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeReversingLabs: Detection: 16%
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeReversingLabs: Detection: 20%
                    Source: C:\Users\user\AppData\Roaming\etvjrtfReversingLabs: Detection: 60%
                    Multi AV Scanner detection for submitted file
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeReversingLabs: Detection: 60%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_03CD1C94 CryptProtectData,9_2_03CD1C94
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePallJump to behavior
                    Source: Binary string: ntkrnlmp.pdbx, source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdbe source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
                    Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdbly source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3173116453.00000000003B2000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
                    Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*mp source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
                    Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
                    Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntkrnlmp.pdbmw source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1437
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,7_2_00405B4A
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004066FF FindFirstFileA,FindClose,7_2_004066FF
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004027AA FindFirstFileA,7_2_004027AA
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A924BD FindFirstFileExW,9_2_00A924BD
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,11_2_00405B4A
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004066FF FindFirstFileA,FindClose,11_2_004066FF
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004027AA FindFirstFileA,11_2_004027AA
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior

                    Networking

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 181.52.122.51 80Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: pedestriankodwu.xyz
                    Source: Malware configuration extractorURLs: towerxxuytwi.xyz
                    Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
                    Source: Malware configuration extractorURLs: penetratedpoopp.xyz
                    Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
                    Source: Malware configuration extractorURLs: contintnetksows.shop
                    Source: Malware configuration extractorURLs: foodypannyjsud.shop
                    Source: Malware configuration extractorURLs: potterryisiw.shop
                    Source: Malware configuration extractorURLs: potterryisiw.shop
                    Source: Malware configuration extractorURLs: http://evilos.cc/tmp/index.php
                    Source: Malware configuration extractorURLs: http://gebeus.ru/tmp/index.php
                    Source: Malware configuration extractorURLs: http://office-techs.biz/tmp/index.php
                    Source: Malware configuration extractorURLs: http://cx5519.com/tmp/index.php
                    Source: Malware configuration extractorURLs: 146.70.169.164:2227
                    Source: Joe Sandbox ViewIP Address: 141.8.192.126 141.8.192.126
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewASN Name: TelmexColombiaSACO TelmexColombiaSACO
                    Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: GamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
                    Source: GamePall.exe, 00000018.00000002.3894887215.00000000023F8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000019.00000002.3931428802.0000000002718000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001C.00000002.3768604841.0000000002541000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.3773257982.0000000002358000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000021.00000002.4013382785.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000022.00000002.4123152076.0000000003268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity.0
                    Source: GamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
                    Source: GamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz
                    Source: GamePall.exe, 0000000C.00000002.3507088794.00000000027F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz/c/g
                    Source: GamePall.exe, 0000000C.00000002.3507088794.00000000027F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz/c/g4
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: http://crbug.com/275944
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: http://crbug.com/497301
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: http://crbug.com/514696
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: http://crbug.com/717501
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: http://crbug.com/775961
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: http://crbug.com/839189
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                    Source: GamePall.exe, 0000000C.00000002.4777657271.0000000037F04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://groutchoay.com/
                    Source: GamePall.exe, 0000000C.00000002.4777657271.0000000037F04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://groutchoay.com/7
                    Source: GamePall.exe, 0000000C.00000002.3507088794.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://groutchoay.com/?l=8pVpPBflecjcgHU
                    Source: GamePall.exe, 0000000C.00000002.4765285515.0000000037D68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://groutchoay.com/?l=8pVpPBflecjcgHU&s=831805244739428353&z=6966849&tb=6424104&pz=6424105
                    Source: GamePall.exe, 0000000C.00000002.4757714643.0000000037C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://groutchoay.com/?l=8pVpPBflecjcgHU&s=831805244739428353&z=6966849&tb=6424104&pz=64241057
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                    Source: setup.exe, setup.exe, 0000000B.00000003.3173882874.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.2873916150.000000000040A000.00000008.00000001.01000000.0000000E.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                    Source: FD47.exe, 00000007.00000000.2074830237.000000000040A000.00000008.00000001.01000000.00000008.sdmp, FD47.exe, 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000003.3173882874.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.2873916150.000000000040A000.00000008.00000001.01000000.0000000E.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0K
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                    Source: explorer.exe, 00000001.00000000.1684248888.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1685237344.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1683896450.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                    Source: GamePall.exe, 0000000C.00000002.3507088794.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: GamePall.exe, 0000000C.00000002.4776026493.0000000037ECC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
                    Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.apache.org/).
                    Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.apache.org/licenses/
                    Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: GamePall.exe, 00000010.00000002.3378641499.0000000006140000.00000002.00000001.00040000.0000001B.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: FD47.exe, 00000007.00000003.2077335796.00000000030D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat
                    Source: FD47.exe, 00000007.00000002.3536265180.00000000007A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datf
                    Source: FD47.exe, 00000007.00000002.3536265180.00000000007A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datlb
                    Source: FD47.exe, 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: explorer.exe, 00000001.00000000.1686438182.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                    Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                    Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                    Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                    Source: explorer.exe, 00000001.00000000.1682187494.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                    Source: explorer.exe, 00000001.00000000.1684623334.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                    Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                    Source: explorer.exe, 00000001.00000000.1684623334.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                    Source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                    Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                    Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/I
                    Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
                    Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                    Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                    Source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: GamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                    Source: GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
                    Source: GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                    Source: GamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: https://chromewebstore.google.com/
                    Source: GamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/declarativeNetRequestWithHostAccessapp.window.fullscreen.overrideE
                    Source: GamePall.exe, 0000000C.00000002.4787685561.000000005662C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: https://codereview.chromium.org/25305002).
                    Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                    Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: https://crbug.com/1245093):
                    Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: https://crbug.com/1446731
                    Source: 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
                    Source: 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                    Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2119386462.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122102908.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2097922295.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023067511.000000000163F000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2022920516.000000000165B000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024545560.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/
                    Source: DBD3.exe, 00000006.00000003.2119386462.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122102908.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2097922295.00000000016B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/F9Q
                    Source: DBD3.exe, 00000006.00000003.2022920516.000000000165B000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122082002.00000000016A7000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024545560.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api
                    Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2022920516.000000000165B000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024545560.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api2
                    Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api6
                    Source: DBD3.exe, 00000006.00000003.2119940512.00000000016A7000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122082002.00000000016A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apiW
                    Source: DBD3.exe, 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apid
                    Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/bm/
                    Source: DBD3.exe, 00000006.00000003.2119386462.000000000163D000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2121863832.000000000163D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/e
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/j
                    Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/jhg
                    Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ob
                    Source: DBD3.exe, 00000006.00000003.2097922295.00000000016B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi
                    Source: DBD3.exe, 00000006.00000003.2119386462.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122102908.00000000016B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/re1
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/sG
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/sc
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                    Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://myactivity.google.com/
                    Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.com
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://passwords.google.comGoogle
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comT
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://policies.google.com/
                    Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                    Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                    Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                    Source: GamePall.exe, 0000000C.00000002.4776026493.0000000037ECC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
                    Source: GamePall.exe, 0000000C.00000002.4759970266.0000000037CB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=dummytoken
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                    Source: DBD3.exe, 00000006.00000003.2023916098.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                    Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                    Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023916098.0000000003B8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023916098.0000000003B8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: GamePall.exe, 00000014.00000002.3256945805.0000000005526000.00000002.00000001.01000000.00000012.sdmp, GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
                    Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                    Source: explorer.exe, 00000001.00000000.1686438182.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                    Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                    Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
                    Source: GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
                    Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
                    Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.newtonsoft.com/json
                    Source: Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: GamePall.exe, GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_004055E7
                    Source: GamePall.exeProcess created: 54

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    PE file has a writeable .text section
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: etvjrtf.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401538
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,0_2_00402FE9
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DE
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401496
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401543
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401565
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401579
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040157C
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,7_2_100010D0
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_004034CC
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_004034CC
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_00406A887_2_00406A88
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A814909_2_00A81490
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A8D5159_2_00A8D515
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A947759_2_00A94775
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A8BE099_2_00A8BE09
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00406A8811_2_00406A88
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_02564F5812_2_02564F58
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_0256104912_2_02561049
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_059F660812_2_059F6608
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_06A9079012_2_06A90790
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_06A9D65012_2_06A9D650
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63CE1D2712_2_63CE1D27
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_635714C012_2_635714C0
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63C4496012_2_63C44960
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63D3746012_2_63D37460
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63D37C5012_2_63D37C50
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_61E8912012_2_61E89120
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63CA400312_2_63CA4003
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_61D342A012_2_61D342A0
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: String function: 00A80310 appears 51 times
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: No import functions for PE file found
                    Source: etvjrtf.1.drStatic PE information: No import functions for PE file found
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: etvjrtf.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: Section .text
                    Source: etvjrtf.1.drStatic PE information: Section .text
                    Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                    Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                    Source: GamePall.exe.11.dr, Program.csBase64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@273/116@0/8
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_004034CC
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_004034CC
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,7_2_00404897
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_00402173 CoCreateInstance,MultiByteToWideChar,7_2_00402173
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\etvjrtfJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeMutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DBD3.tmpJump to behavior
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: DBD3.exe, 00000006.00000003.2024312683.0000000003B64000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeReversingLabs: Detection: 60%
                    Source: unknownProcess created: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe "C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\etvjrtf C:\Users\user\AppData\Roaming\etvjrtf
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DBD3.exe C:\Users\user\AppData\Local\Temp\DBD3.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FD47.exe C:\Users\user\AppData\Local\Temp\FD47.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1B6E.exe C:\Users\user\AppData\Local\Temp\1B6E.exe
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DBD3.exe C:\Users\user\AppData\Local\Temp\DBD3.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FD47.exe C:\Users\user\AppData\Local\Temp\FD47.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1B6E.exe C:\Users\user\AppData\Local\Temp\1B6E.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" Jump to behavior
                    Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cdprt.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mmdevapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: devobj.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: audioses.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: powrprof.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: umpdc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.ui.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: textinputframework.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: inputhost.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wkscli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wtsapi32.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winsta.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscms.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coloradapterclient.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: omadmapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dmcmnutils.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iri.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dsreg.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePallJump to behavior
                    Source: Binary string: ntkrnlmp.pdbx, source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdbe source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
                    Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdbly source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3173116453.00000000003B2000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
                    Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*mp source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
                    Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
                    Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
                    Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntkrnlmp.pdbmw source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
                    Source: Newtonsoft.Json.dll.11.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,7_2_100010D0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .vmpLp
                    Source: chrome_elf.dll.11.drStatic PE information: real checksum: 0x0 should be: 0x11ff85
                    Source: Del.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x556d
                    Source: libGLESv2.dll.11.drStatic PE information: real checksum: 0x0 should be: 0x263106
                    Source: 1B6E.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x9498e
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: real checksum: 0xe07f should be: 0x194ea
                    Source: GamePall.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x5286e
                    Source: Uninstall.exe.11.drStatic PE information: real checksum: 0x0 should be: 0x3fba6
                    Source: FD47.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x5633b
                    Source: INetC.dll.7.drStatic PE information: real checksum: 0x0 should be: 0xa6c6
                    Source: libEGL.dll.11.drStatic PE information: real checksum: 0x0 should be: 0x690e6
                    Source: blowfish.dll.7.drStatic PE information: real checksum: 0x0 should be: 0x152a5
                    Source: Xilium.CefGlue.dll.11.drStatic PE information: real checksum: 0x0 should be: 0xdde0b
                    Source: etvjrtf.1.drStatic PE information: real checksum: 0xe07f should be: 0x194ea
                    Source: libGLESv2.dll0.11.drStatic PE information: real checksum: 0x0 should be: 0x65b4a2
                    Source: DBD3.exe.1.drStatic PE information: section name: .vmpLp
                    Source: DBD3.exe.1.drStatic PE information: section name: .vmpLp
                    Source: DBD3.exe.1.drStatic PE information: section name: .vmpLp
                    Source: libGLESv2.dll.11.drStatic PE information: section name: .00cfg
                    Source: libGLESv2.dll.11.drStatic PE information: section name: .voltbl
                    Source: chrome_elf.dll.11.drStatic PE information: section name: .00cfg
                    Source: chrome_elf.dll.11.drStatic PE information: section name: .crthunk
                    Source: chrome_elf.dll.11.drStatic PE information: section name: CPADinfo
                    Source: chrome_elf.dll.11.drStatic PE information: section name: malloc_h
                    Source: libEGL.dll.11.drStatic PE information: section name: .00cfg
                    Source: libGLESv2.dll0.11.drStatic PE information: section name: .00cfg
                    Source: libcef.dll.11.drStatic PE information: section name: .00cfg
                    Source: libcef.dll.11.drStatic PE information: section name: .rodata
                    Source: libcef.dll.11.drStatic PE information: section name: CPADinfo
                    Source: libcef.dll.11.drStatic PE information: section name: malloc_h
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00408616 push eax; retf 0000h0_2_00408619
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_004084E6 push FFFFFFFBh; iretd 0_2_004084FC
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeCode function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A8004B push ecx; ret 9_2_00A8005E
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_62036B54 push ss; retf 12_2_62036B57
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63C458D2 push ebp; iretd 12_2_63C458D3
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63C4589C push ebp; iretd 12_2_63C4589D
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_63597138 push esp; ret 12_2_63597139
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_61DA38A9 push ecx; ret 12_2_61DA38AC
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_61E5A1BA push 83000004h; ret 12_2_61E5A1BF
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeStatic PE information: section name: .text entropy: 7.062241098302679
                    Source: etvjrtf.1.drStatic PE information: section name: .text entropy: 7.062241098302679
                    Source: Ionic.Zip.dll.11.drStatic PE information: section name: .text entropy: 6.821349263259562
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FD47.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeFile created: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\nsProcess.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeFile created: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\blowfish.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeFile created: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\INetC.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\etvjrtfJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DBD3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsiA896.tmp\liteFirewall.dllJump to dropped file
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1B6E.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].datJump to dropped file
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\etvjrtfJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePallJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePallJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeJump to behavior
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\etvjrtf:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Checks if the current machine is a virtual machine (disk enumeration)
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Found evasive API chain (may stop execution after checking mutex)
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_9-145697
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
                    Source: C:\Users\user\AppData\Roaming\etvjrtfAPI/Special instruction interceptor: Address: 7FFE2220E814
                    Source: C:\Users\user\AppData\Roaming\etvjrtfAPI/Special instruction interceptor: Address: 7FFE2220D584
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeAPI/Special instruction interceptor: Address: E87E15
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeAPI/Special instruction interceptor: Address: 9A76F5
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeAPI/Special instruction interceptor: Address: A84E89
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeAPI/Special instruction interceptor: Address: BB5B80
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeAPI/Special instruction interceptor: Address: AC522F
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeAPI/Special instruction interceptor: Address: B8F069
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: etvjrtf, 00000003.00000002.1923896582.00000000004E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK.
                    Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe, 00000000.00000002.1691660005.0000000000540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2520000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 26A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1230000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4D10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 9A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 26E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 46E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1620000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3160000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FA0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2EB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2EB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1060000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 13D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4CE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 950000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2560000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 24A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F70000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3220000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5220000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3030000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3160000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5160000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 650000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 23D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 930000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 26F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 46F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 16F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3080000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5080000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1250000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: BF0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2540000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4540000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: A70000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2330000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 20C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4C90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: E40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 10C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1080000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 28D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 48D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1540000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3090000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3240000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1670000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2BB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4BB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1310000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 13D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: A60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2470000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2290000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: B40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 24F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 44F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1570000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FC0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1570000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 414Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4639Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 891Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 369Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 878Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 868Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\nsProcess.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\blowfish.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA896.tmp\liteFirewall.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\INetC.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeAPI coverage: 9.7 %
                    Source: C:\Windows\explorer.exe TID: 7320Thread sleep time: -463900s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7316Thread sleep time: -89100s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7672Thread sleep time: -36900s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7676Thread sleep time: -33400s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exe TID: 7732Thread sleep time: -210000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 7644Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 7748Thread sleep count: 36 > 30
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 4168Thread sleep count: 32 > 30
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,7_2_00405B4A
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004066FF FindFirstFileA,FindClose,7_2_004066FF
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004027AA FindFirstFileA,7_2_004027AA
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A924BD FindFirstFileExW,9_2_00A924BD
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,11_2_00405B4A
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004066FF FindFirstFileA,FindClose,11_2_004066FF
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004027AA FindFirstFileA,11_2_004027AA
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_03CD2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,9_2_03CD2054
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                    Source: explorer.exe, 00000001.00000000.1685084391.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                    Source: DBD3.exe, 00000006.00000002.2121763571.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000003.3383606451.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000003.3383411439.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000002.3584082427.00000000007F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                    Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023067511.000000000163F000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2119386462.000000000163D000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2121863832.000000000163D000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000003.3383538487.000000000081D000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000002.3613821225.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: GamePall.exe, 00000027.00000002.3543813931.00000000006B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y`
                    Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnS
                    Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn`
                    Source: explorer.exe, 00000001.00000000.1685084391.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                    Source: GamePall.exe, 0000000C.00000002.3351452366.0000000000803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                    Source: explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                    Source: explorer.exe, 00000001.00000000.1685084391.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                    Source: explorer.exe, 00000001.00000000.1685084391.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                    Source: GamePall.exe, 00000027.00000002.3543813931.0000000000733000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                    Source: GamePall.exe, 00000027.00000002.3543813931.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3U7X`t Tt500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                    Source: GamePall.exe, 00000027.00000002.3543813931.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:PP*7PXtxK
                    Source: explorer.exe, 00000001.00000000.1683280405.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                    Source: FD47.exe, 00000007.00000003.3383538487.000000000081D000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000002.3613821225.000000000081D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA
                    Source: explorer.exe, 00000001.00000000.1684623334.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                    Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                    Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeAPI call chain: ExitProcess graph end nodegraph_7-3604
                    Source: C:\Users\user\AppData\Local\Temp\setup.exeAPI call chain: ExitProcess graph end nodegraph_11-3649
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeSystem information queried: CodeIntegrityInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfSystem information queried: CodeIntegrityInformationJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A84383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00A84383
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,7_2_100010D0
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_64094DA1 mov esi, dword ptr fs:[00000030h]12_2_64094DA1
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A95891 GetProcessHeap,9_2_00A95891
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A84383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00A84383
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A80495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00A80495
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A806F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00A806F0
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A80622 SetUnhandledExceptionFilter,9_2_00A80622
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Benign windows process drops PE files
                    Source: C:\Windows\explorer.exeFile created: 1B6E.exe.1.drJump to dropped file
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 181.52.122.51 80Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                    Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                    Creates a thread in another existing process (thread injection)
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeThread created: C:\Windows\explorer.exe EIP: 31419D0Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfThread created: unknown EIP: 7DB19D0Jump to behavior
                    LummaC encrypted strings found
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: pedestriankodwu.xyz
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: towerxxuytwi.xyz
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: ellaboratepwsz.xyz
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: penetratedpoopp.xyz
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: swellfrrgwwos.xyz
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: contintnetksows.shop
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: foodypannyjsud.shop
                    Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: potterryisiw.shop
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\etvjrtfSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                    Source: explorer.exe, 00000001.00000000.1683124534.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                    Source: explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A8013C cpuid 9_2_00A8013C
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: GetLocaleInfoW,9_2_00A8E096
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_00A950DC
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: EnumSystemLocalesW,9_2_00A95051
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: GetLocaleInfoW,9_2_00A9532F
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00A95458
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: GetLocaleInfoW,9_2_00A9555E
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00A95634
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: EnumSystemLocalesW,9_2_00A8DBC7
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,9_2_00A94CBF
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: EnumSystemLocalesW,9_2_00A94FB6
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: EnumSystemLocalesW,9_2_00A94F6B
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeCode function: 9_2_00A8038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00A8038F
                    Source: C:\Users\user\AppData\Local\Temp\FD47.exeCode function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_004034CC
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: DBD3.exe, 00000006.00000003.2119386462.0000000001628000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2121863832.0000000001628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: DBD3.exe PID: 7704, type: MEMORYSTR
                    Yara detected Poverty Stealer
                    Source: Yara matchFile source: 9.2.1B6E.exe.165ea20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.165ea20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.3cd0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.3cd0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.1618320.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.1618320.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1B6E.exe PID: 7888, type: MEMORYSTR
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                    Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx LibertynDS
                    Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                    Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                    Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                    Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\1B6E.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.dbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\DBD3.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                    Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1437
                    Source: Yara matchFile source: 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2024545560.000000000169D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2022920516.000000000169D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DBD3.exe PID: 7704, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: DBD3.exe PID: 7704, type: MEMORYSTR
                    Yara detected Poverty Stealer
                    Source: Yara matchFile source: 9.2.1B6E.exe.165ea20.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.165ea20.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.3cd0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.3cd0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.1618320.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.1B6E.exe.1618320.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1B6E.exe PID: 7888, type: MEMORYSTR
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Encrypted Channel                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts11
                    Native API                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		111
                    Deobfuscate/Decode Files or Information                    		LSASS Memory23
                    File and Directory Discovery                    		Remote Desktop Protocol41
                    Data from Local System                    		1
                    Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Exploitation for Client Execution                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Windows Service                    		31
                    Obfuscated Files or Information                    		Security Account Manager137
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Clipboard Data                    		SteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    Command and Scripting Interpreter                    		Login Hook312
                    Process Injection                    		2
                    Software Packing                    		NTDS651
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts1
                    PowerShell                    		Network Logon Script1
                    Registry Run Keys / Startup Folder                    		1
                    Timestomp                    		LSA Secrets2
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials241
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Masquerading                    		Proc Filesystem1
                    Remote System Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Access Token Manipulation                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                    Hidden Files and Directories                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466523 Sample: 37e6e5d8b399fefb9ae774516ff... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 11 other signatures 2->109 12 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe 2->12         started        15 etvjrtf 2->15         started        process3 signatures4 141 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->141 143 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->143 145 Maps a DLL or memory area into another process 12->145 147 Switches to a custom stack to bypass stack traces 12->147 17 explorer.exe 56 10 12->17 injected 149 Multi AV Scanner detection for dropped file 15->149 151 Checks if the current machine is a virtual machine (disk enumeration) 15->151 153 Creates a thread in another existing process (thread injection) 15->153 process5 dnsIp6 89 185.68.16.7 UKRAINE-ASUA Ukraine 17->89 91 181.52.122.51 TelmexColombiaSACO Colombia 17->91 93 2 other IPs or domains 17->93 73 C:\Users\user\AppData\Roaming\etvjrtf, PE32 17->73 dropped 75 C:\Users\user\AppData\Local\Temp\FD47.exe, PE32 17->75 dropped 77 C:\Users\user\AppData\Local\Temp\DBD3.exe, PE32 17->77 dropped 79 2 other malicious files 17->79 dropped 113 System process connects to network (likely due to code injection or exploit) 17->113 115 Benign windows process drops PE files 17->115 117 Deletes itself after installation 17->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->119 22 FD47.exe 3 35 17->22         started        26 DBD3.exe 17->26         started        29 1B6E.exe 12 17->29         started        31 GamePall.exe 17->31         started        file7 signatures8 process9 dnsIp10 81 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 22->81 dropped 83 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 22->83 dropped 85 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 22->85 dropped 87 2 other files (none is malicious) 22->87 dropped 121 Antivirus detection for dropped file 22->121 123 Multi AV Scanner detection for dropped file 22->123 33 setup.exe 9 112 22->33         started        97 188.114.96.3 CLOUDFLARENETUS European Union 26->97 125 Query firmware table information (likely to detect VMs) 26->125 127 Machine Learning detection for dropped file 26->127 129 Found many strings related to Crypto-Wallets (likely being stolen) 26->129 135 4 other signatures 26->135 99 146.70.169.164 TENET-1ZA United Kingdom 29->99 101 185.166.143.48 AMAZON-02US Germany 29->101 131 Found evasive API chain (may stop execution after checking mutex) 29->131 133 Tries to harvest and steal browser information (history, passwords, etc) 29->133 37 GamePall.exe 31->37         started        file11 signatures12 process13 file14 65 C:\Users\user\AppData\...\vulkan-1.dll, PE32 33->65 dropped 67 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 33->67 dropped 69 C:\Users\user\AppData\...\libGLESv2.dll, PE32 33->69 dropped 71 16 other files (13 malicious) 33->71 dropped 111 Antivirus detection for dropped file 33->111 39 GamePall.exe 33->39         started        signatures15 process16 dnsIp17 95 172.67.221.174 CLOUDFLARENETUS United States 39->95 137 Antivirus detection for dropped file 39->137 139 Machine Learning detection for dropped file 39->139 43 GamePall.exe 39->43         started        45 GamePall.exe 39->45         started        47 GamePall.exe 39->47         started        49 6 other processes 39->49 signatures18 process19 process20 51 GamePall.exe 43->51         started        53 GamePall.exe 43->53         started        55 GamePall.exe 43->55         started        57 10 other processes 43->57 process21 59 GamePall.exe 51->59         started        61 GamePall.exe 51->61         started        63 GamePall.exe 53->63         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe61%ReversingLabsWin32.Trojan.SmokeLoader
                    37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe100%AviraTR/Crypt.XPACK.Gen
                    37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\DBD3.exe100%AviraHEUR/AGEN.1313486
                    C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%AviraHEUR/AGEN.1352426
                    C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
                    C:\Users\user\AppData\Local\Temp\FD47.exe100%AviraHEUR/AGEN.1359405
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat100%AviraHEUR/AGEN.1359405
                    C:\Users\user\AppData\Local\Temp\DBD3.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\1B6E.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\GamePall\Del.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat3%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Local\Temp\1B6E.exe16%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\DBD3.exe50%ReversingLabsWin32.Trojan.Smokeloader
                    C:\Users\user\AppData\Local\Temp\FD47.exe21%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\nsiA896.tmp\liteFirewall.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\INetC.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\blowfish.dll5%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\nsProcess.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\setup.exe3%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Roaming\GamePall\Del.exe7%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\GamePall.exe3%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll3%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\libEGL.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\libcef.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\log4net.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\etvjrtf61%ReversingLabsWin32.Trojan.SmokeLoader

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                    http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
                    https://android.notify.windows.com/iOS0%URL Reputationsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
                    https://support.google.com/chrome/answer/60988690%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/api6100%Avira URL Cloudmalware
                    https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing0%Avira URL Cloudsafe
                    http://api.install-stat.debug.world/clients/activity.00%Avira URL Cloudsafe
                    https://aka.ms/odirmr0%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/api2100%Avira URL Cloudmalware
                    https://www.google.com/chrome/privacy/eula_text.html0%Avira URL Cloudsafe
                    http://gebeus.ru/tmp/index.php100%Avira URL Cloudmalware
                    https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.0%Avira URL Cloudsafe
                    https://api.msn.com:443/v1/news/Feed/Windows?0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=urCtrl$20%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/e100%Avira URL Cloudmalware
                    http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
                    https://excel.office.com0%Avira URL Cloudsafe
                    https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we0%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/j100%Avira URL Cloudmalware
                    https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%Avira URL Cloudsafe
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%Avira URL Cloudsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%Avira URL Cloudsafe
                    http://unisolated.invalid/0%Avira URL Cloudsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%Avira URL Cloudsafe
                    https://photos.google.com/settings?referrer=CHROME_NTP0%Avira URL Cloudsafe
                    http://cx5519.com/tmp/index.php100%Avira URL Cloudmalware
                    https://passwords.google.com0%Avira URL Cloudsafe
                    https://aui-cdn.atlassian.com/0%Avira URL Cloudsafe
                    contintnetksows.shop100%Avira URL Cloudmalware
                    http://crbug.com/4973010%Avira URL Cloudsafe
                    http://groutchoay.com/0%Avira URL Cloudsafe
                    https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%Avira URL Cloudsafe
                    http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd0%Avira URL Cloudsafe
                    https://chromewebstore.google.com/declarativeNetRequestWithHostAccessapp.window.fullscreen.overrideE0%Avira URL Cloudsafe
                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
                    http://bageyou.xyz0%Avira URL Cloudsafe
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc940%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                    http://evilos.cc/tmp/index.php100%Avira URL Cloudmalware
                    https://bitbucket.org/0%Avira URL Cloudsafe
                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%Avira URL Cloudsafe
                    https://wns.windows.com/L0%Avira URL Cloudsafe
                    http://crbug.com/8391890%Avira URL Cloudsafe
                    https://word.office.com0%Avira URL Cloudsafe
                    https://support.google.com/chromebook?p=app_intent0%Avira URL Cloudsafe
                    http://crbug.com/7175010%Avira URL Cloudsafe
                    http://xiexie.wf/22_551/huge.datlb0%Avira URL Cloudsafe
                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore0%Avira URL Cloudsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                    https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta0%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/ob100%Avira URL Cloudmalware
                    http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
                    https://www.google.com/chrome/privacy/eula_text.htmlT&r0%Avira URL Cloudsafe
                    ellaboratepwsz.xyz100%Avira URL Cloudmalware
                    https://www.google.com/chrome/privacy/eula_text.html&0%Avira URL Cloudsafe
                    http://groutchoay.com/?l=8pVpPBflecjcgHU&s=831805244739428353&z=6966849&tb=6424104&pz=64241050%Avira URL Cloudsafe
                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-0%Avira URL Cloudsafe
                    http://xiexie.wf/22_551/huge.dat0%Avira URL Cloudsafe
                    http://groutchoay.com/?l=8pVpPBflecjcgHU0%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/apid100%Avira URL Cloudmalware
                    swellfrrgwwos.xyz100%Avira URL Cloudmalware
                    http://crbug.com/5146960%Avira URL Cloudsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%Avira URL Cloudsafe
                    https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee0%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/re1100%Avira URL Cloudmalware
                    https://chrome.google.com/webstore?hl=ukCtrl$10%Avira URL Cloudsafe
                    https://crbug.com/14467310%Avira URL Cloudsafe
                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl0%Avira URL Cloudsafe
                    http://api.install-stat.debug.world/clients/installs0%Avira URL Cloudsafe
                    https://www.rd.com/list/polite-habits-campers-dislike/0%Avira URL Cloudsafe
                    https://support.microsof0%Avira URL Cloudsafe
                    foodypannyjsud.shop100%Avira URL Cloudmalware
                    https://www.newtonsoft.com/jsonschema0%Avira URL Cloudsafe
                    https://cdn.cookielaw.org/0%Avira URL Cloudsafe
                    https://foodypannyjsud.shop/apiW100%Avira URL Cloudmalware
                    pedestriankodwu.xyz100%Avira URL Cloudmalware
                    https://support.google.com/chrome/a/answer/91222840%Avira URL Cloudsafe
                    https://chromewebstore.google.com/0%Avira URL Cloudsafe
                    https://outlook.com_0%Avira URL Cloudsafe
                    https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%Avira URL Cloudsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                    https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://gebeus.ru/tmp/index.phptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://cx5519.com/tmp/index.phptrue
                    • Avira URL Cloud: malware
                    		unknown
                    contintnetksows.shoptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://evilos.cc/tmp/index.phptrue
                    • Avira URL Cloud: malware
                    		unknown
                    ellaboratepwsz.xyztrue
                    • Avira URL Cloud: malware
                    		unknown
                    swellfrrgwwos.xyztrue
                    • Avira URL Cloud: malware
                    		unknown
                    foodypannyjsud.shoptrue
                    • Avira URL Cloud: malware
                    		unknown
                    pedestriankodwu.xyztrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/odirmrexplorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabDBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/api2DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2022920516.000000000165B000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024545560.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditingGamePall.exe, 0000000C.00000002.4776026493.0000000037ECC000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/api6DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://api.install-stat.debug.world/clients/activity.0GamePall.exe, 00000018.00000002.3894887215.00000000023F8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000019.00000002.3931428802.0000000002718000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001C.00000002.3768604841.0000000002541000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.3773257982.0000000002358000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000021.00000002.4013382785.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000022.00000002.4123152076.0000000003268000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.google.com/chrome/answer/6098869setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/chrome/privacy/eula_text.htmlsetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://logging.apache.org/log4net/release/faq.html#trouble-EventLogGamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://excel.office.comexplorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/eDBD3.exe, 00000006.00000003.2119386462.000000000163D000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2121863832.000000000163D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=urCtrl$2setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/jDBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://photos.google.com/settings?referrer=CHROME_NTPsetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unisolated.invalid/GamePall.exe, 0000000C.00000002.4776026493.0000000037ECC000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiDBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlsetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://passwords.google.comsetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aui-cdn.atlassian.com/1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crbug.com/497301GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://groutchoay.com/GamePall.exe, 0000000C.00000002.4777657271.0000000037F04000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chromewebstore.google.com/declarativeNetRequestWithHostAccessapp.window.fullscreen.overrideEGamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1686438182.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwdFD47.exe, 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGamePall.exe, 0000000C.00000002.3507088794.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://bageyou.xyzGamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bitbucket.org/1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1686438182.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://word.office.comexplorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.google.com/chromebook?p=app_intentsetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crbug.com/717501GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crbug.com/839189GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://xiexie.wf/22_551/huge.datlbFD47.exe, 00000007.00000002.3536265180.00000000007A5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstoreGamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uGamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.rootca1.amazontrust.com/rootca1.crl0DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaDBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/obDBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://ocsp.rootca1.amazontrust.com0:DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016DBD3.exe, 00000006.00000003.2024184644.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023916098.0000000003B8C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorFD47.exe, 00000007.00000000.2074830237.000000000040A000.00000008.00000001.01000000.00000008.sdmp, FD47.exe, 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000003.3173882874.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.2873916150.000000000040A000.00000008.00000001.01000000.0000000E.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/chrome/privacy/eula_text.html&setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/chrome/privacy/eula_text.htmlT&rsetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://groutchoay.com/?l=8pVpPBflecjcgHU&s=831805244739428353&z=6966849&tb=6424104&pz=6424105GamePall.exe, 0000000C.00000002.4765285515.0000000037D68000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://xiexie.wf/22_551/huge.datFD47.exe, 00000007.00000003.2077335796.00000000030D0000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://groutchoay.com/?l=8pVpPBflecjcgHUGamePall.exe, 0000000C.00000002.3507088794.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/apidDBD3.exe, 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brDBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crbug.com/514696GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee1B6E.exe, 00000009.00000002.2833845596.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlsetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_Errorsetup.exe, setup.exe, 0000000B.00000003.3173882874.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.2873916150.000000000040A000.00000008.00000001.01000000.0000000E.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://crbug.com/1446731GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/re1DBD3.exe, 00000006.00000003.2119386462.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122102908.00000000016B4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://chrome.google.com/webstore?hl=ukCtrl$1setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://api.install-stat.debug.world/clients/installsGamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.microsofDBD3.exe, 00000006.00000003.2023916098.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.cookielaw.org/1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.11.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foodypannyjsud.shop/apiWDBD3.exe, 00000006.00000003.2119940512.00000000016A7000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122082002.00000000016A7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://chromewebstore.google.com/GamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.google.com/chrome/a/answer/9122284setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://outlook.com_explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesDBD3.exe, 00000006.00000003.2024184644.0000000003B60000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    181.52.122.51
                    		unknownColombia
                    		10620TelmexColombiaSACOtrue
                    185.166.143.48
                    		unknownGermany
                    		16509AMAZON-02USfalse
                    141.8.192.126
                    		unknownRussian Federation
                    		35278SPRINTHOSTRUtrue
                    188.114.96.3
                    		unknownEuropean Union
                    		13335CLOUDFLARENETUStrue
                    172.67.221.174
                    		unknownUnited States
                    		13335CLOUDFLARENETUSfalse
                    185.68.16.7
                    		unknownUkraine
                    		200000UKRAINE-ASUAtrue
                    146.70.169.164
                    		unknownUnited Kingdom
                    		2018TENET-1ZAtrue

                    Private

                    IP
                    127.0.0.127

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1466523
                    Start date and time:2024-07-03 01:31:04 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 20m 21s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:40
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@273/116@0/8
                    EGA Information:
                    • Successful, ratio: 83.3%
                    HCA Information:
                    • Successful, ratio: 74%
                    • Number of executed functions: 256
                    • Number of non-executed functions: 99
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Connection to analysis system has been lost, crash info: Normal
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Execution Graph export aborted for target DBD3.exe, PID 7704 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtEnumerateKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Skipping network analysis since amount of network traffic is too extensive
                    • VT rate limit hit for: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    00:32:15Task SchedulerRun new task: Firefox Default Browser Agent D09C45E3FF9BCB4C path: C:\Users\user\AppData\Roaming\etvjrtf
                    00:34:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    00:34:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    19:32:01API Interceptor137558x Sleep call for process: explorer.exe modified
                    19:32:29API Interceptor9x Sleep call for process: DBD3.exe modified
                    19:34:29API Interceptor1x Sleep call for process: GamePall.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    181.52.122.51file.exeGet hashmaliciousBabuk, DjvuBrowse
                    • cajgtus.com/lancer/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true
                    141.8.192.126http://a0748987.xsph.ruGet hashmaliciousUnknownBrowse
                    • a0748987.xsph.ru/favicon.ico
                    188.114.96.3http://sp.26skins.com/steamstore/category/adventure_rpg/?snr=1_5_9__12Get hashmaliciousUnknownBrowse
                    • sp.26skins.com/favicon.ico
                    30Fqen2Bu3.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/TbaYPT0S/download
                    30Fqen2Bu3.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/TbaYPT0S/download
                    Vg46FzGtNo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 000366cm.nyashka.top/phpflowergenerator.php
                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • filetransfer.io/data-package/mHgyHEv5/download
                    file.exeGet hashmaliciousFormBookBrowse
                    • www.cavetta.org.mt/yhnb/
                    http://johnlewisfr.comGet hashmaliciousUnknownBrowse
                    • johnlewisfr.com/
                    cL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
                    http://www.youkonew.anakembok.de/Get hashmaliciousHTMLPhisherBrowse
                    • www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
                    hnCn8gE6NH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • yenot.top/providerlowAuthApibigloadprotectflower.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    SPRINTHOSTRUOBbrO5rwew.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    https://kawak.com.coGet hashmaliciousUnknownBrowse
                    • 185.251.91.91
                    S#U0435tup.exeGet hashmaliciousCopperShrimpBrowse
                    • 185.185.70.98
                    S#U0435tup.exeGet hashmaliciousCopperShrimpBrowse
                    • 185.185.70.98
                    file.exeGet hashmaliciousSmokeLoaderBrowse
                    • 141.8.192.6
                    https://www.asarco.com/Get hashmaliciousUnknownBrowse
                    • 185.251.91.91
                    email.emlGet hashmaliciousHTMLPhisherBrowse
                    • 176.119.147.86
                    8TFewUGOYv.exeGet hashmaliciousDCRatBrowse
                    • 141.8.192.26
                    setup.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, StealcBrowse
                    • 141.8.192.6
                    CLOUDFLARENETUShttps://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                    • 104.17.25.14
                    http://sp.26skins.com/steamstore/category/adventure_rpg/?snr=1_5_9__12Get hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    https://steaemcoonmmunnltly.com/g-friend/golo/gifts-50Get hashmaliciousUnknownBrowse
                    • 104.17.25.14
                    0cjB1Kh8zU.msiGet hashmaliciousUnknownBrowse
                    • 172.67.149.157
                    http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    http://services.business-manange.com/Get hashmaliciousUnknownBrowse
                    • 172.67.138.117
                    http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.htmlGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    https://pub-1b634168cd404e2d8bece63d5ebb4798.r2.dev/uint.html?schweissdoorsGet hashmaliciousHTMLPhisherBrowse
                    • 104.26.10.155
                    https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbsGet hashmaliciousHTMLPhisherBrowse
                    • 104.26.10.155
                    http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                    • 172.67.69.226
                    TelmexColombiaSACOmirai.m68k.elfGet hashmaliciousMiraiBrowse
                    • 181.55.9.109
                    lQC7IiMNX1.elfGet hashmaliciousMiraiBrowse
                    • 186.145.37.75
                    205.185.121.21-mips-2024-07-01T10_13_50.elfGet hashmaliciousMirai, MoobotBrowse
                    • 181.63.52.236
                    GIW8jzBGQQ.elfGet hashmaliciousMirai, MoobotBrowse
                    • 181.56.164.145
                    g75NqH852l.elfGet hashmaliciousMirai, MoobotBrowse
                    • 190.146.237.77
                    V7UaNBrX72.elfGet hashmaliciousMirai, MoobotBrowse
                    • 190.159.39.101
                    sIfZJVVv1H.elfGet hashmaliciousMirai, MoobotBrowse
                    • 190.85.145.143
                    botx.x86.elfGet hashmaliciousMiraiBrowse
                    • 190.146.4.233
                    35bf9dfd223e02da2ee3d57ec493156787a3c2cecb8b655a583985a2f14cc6e3_dump.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                    • 190.147.128.172
                    gErAvW63Ax.elfGet hashmaliciousMiraiBrowse
                    • 190.147.222.233
                    AMAZON-02UShttps://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                    • 13.224.189.122
                    https://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
                    • 108.156.2.28
                    http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.htmlGet hashmaliciousUnknownBrowse
                    • 18.239.94.85
                    http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                    • 108.138.7.41
                    https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
                    • 13.227.219.28
                    http://review-page-violation-issue-meta-center.vercel.app/Get hashmaliciousUnknownBrowse
                    • 76.76.21.93
                    https://supp-review9482.eu/Get hashmaliciousUnknownBrowse
                    • 18.245.31.129
                    http://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
                    • 108.156.60.57
                    SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exeGet hashmaliciousUnknownBrowse
                    • 18.239.69.105
                    http://mysterymint-s10.vercel.app/Get hashmaliciousUnknownBrowse
                    • 76.76.21.98

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):1019
                    Entropy (8bit):5.236946495216897
                    Encrypted:false
                    SSDEEP:24:YqHZ6T06Mhm4ymNib0O0bihmCetmKg6CUXyhmimKgbxdB6hmjmKgz0JahmcmKgbR:YqHZ6T06McoEb0O0bicCewHDUXycLHbR
                    MD5:5D20D9B3F928AC964E07C561FD8A3F42
                    SHA1:B702BE149FCF94831A975F2CD06B2DFE020D9632
                    SHA-256:59A4F22870D7A7DC3339917C89FF6AF09FA762AF39F0624338FDDFF631730492
                    SHA-512:30E5F275FFB475A403439C3A4DCC05F3E12A6914D93F20EB38AF3240A7F693A455C25C005A3681AB39C89BFAD9AE66FAAE3874B987FAC48BB6A5439194FDCEDC
                    Malicious:false
                    Preview:{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":7763552,"LastSwitchedHighPart":31061488,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":4292730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4282730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4272730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":4262730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4252730848,"LastSwitchedHighPart":31061487,"Pr

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\FD47.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Category:dropped
                    Size (bytes):107232830
                    Entropy (8bit):7.999946456161068
                    Encrypted:true
                    SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                    MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                    SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                    SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                    SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 3%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\1B6E.exe

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:modified
                    Size (bytes):578048
                    Entropy (8bit):6.297510031778876
                    Encrypted:false
                    SSDEEP:12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
                    MD5:DA4B6F39FC024D2383D4BFE7F67F1EE1
                    SHA1:7CC975D9FF785E269163897907D0B9B3CEE29956
                    SHA-256:544697A024ABAEA1B24EAA3D89869B2C8A4C1ACF96D4E152F5632D338D054C9E
                    SHA-512:D73CC4D911D9E61711B97CB9212D5BC93CB1B1314A39945934EB92239A31728FCCA7FEFBEC0143BAD915B0A7A6B93DF11D0AB7F559737AA7EC920BD24243FFFE
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 16%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I..I..I...1..I...1...I...1..I..l...I..l...I..l....I...1..I..I...I..]...I..]...I..Rich.I..................PE..L...w;.f...............'.....\....................@.......................................@.....................................(................................2..Xh..p....................i.......g..@...............@............................text....~.......................... ..`.rdata..4...........................@..@.data...............................@....reloc...2.......4..................@..B........................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\DBD3.exe

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):6642176
                    Entropy (8bit):7.866419732571782
                    Encrypted:false
                    SSDEEP:98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
                    MD5:BD2EAC64CBDED877608468D86786594A
                    SHA1:778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
                    SHA-256:CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
                    SHA-512:3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 50%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\FD47.exe

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Category:dropped
                    Size (bytes):293869
                    Entropy (8bit):5.61569579822855
                    Encrypted:false
                    SSDEEP:3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
                    MD5:60172CA946DE57C3529E9F05CC502870
                    SHA1:DE8F59D6973A5811BB10A9A4410801FA63BC8B56
                    SHA-256:42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
                    SHA-512:15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 21%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsiA896.tmp\liteFirewall.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):82944
                    Entropy (8bit):6.389604568119155
                    Encrypted:false
                    SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                    MD5:165E1EF5C79475E8C33D19A870E672D4
                    SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                    SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                    SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nskFDD3.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\FD47.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):60466
                    Entropy (8bit):5.603640719549413
                    Encrypted:false
                    SSDEEP:1536:akqg31kqY3Q4Oc//////Q0LatojW/lX1Xb41:3qg323Sc//////Q3tojW/XXy
                    MD5:DE806154A80E3916669C466B6D001BD6
                    SHA1:B85BD0EC436125772A9C5403162628B7AAB35F49
                    SHA-256:10D9B7F2238EFFEB71990F979B9DFE4F3BE3D212B05232EF34C39F9578CC11E3
                    SHA-512:63CC5D6865C89AE2C41EEE3C76FD865D9461E96DBC570270982EB6DB5A15FB234098286CEE3FF9DB2255FEDA5207A222AB67743475AD60CCFD89A86B881BCB94
                    Malicious:false
                    Reputation:unknown
                    Preview:",......,..................."...|%......H+......",..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\INetC.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\FD47.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22016
                    Entropy (8bit):5.668346578219837
                    Encrypted:false
                    SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                    MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                    SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                    SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                    SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\blowfish.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\FD47.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):22528
                    Entropy (8bit):6.674611218414922
                    Encrypted:false
                    SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                    MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                    SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                    SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                    SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 5%
                    Reputation:unknown
                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\nsProcess.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\FD47.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.666004851298707
                    Encrypted:false
                    SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                    MD5:FAA7F034B38E729A983965C04CC70FC1
                    SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                    SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                    SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nsz3A0C.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):358363995
                    Entropy (8bit):6.972150585647623
                    Encrypted:false
                    SSDEEP:3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
                    MD5:5F9D89B40243E83C0B48206CE4EB77D1
                    SHA1:477A019AB11E5793168B3E41D83B80A8AC8F1D43
                    SHA-256:2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
                    SHA-512:5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
                    Malicious:false
                    Reputation:unknown
                    Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\setup.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\FD47.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Category:dropped
                    Size (bytes):107232830
                    Entropy (8bit):7.999946456161068
                    Encrypted:true
                    SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                    MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                    SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                    SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                    SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 3%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):0.01057775872642915
                    Encrypted:false
                    SSDEEP:3:MsFl:/F
                    MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                    SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                    SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                    SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                    Malicious:false
                    Reputation:unknown
                    Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):0.012096502606932763
                    Encrypted:false
                    SSDEEP:3:MsEllllkXl:/M/6
                    MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                    SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                    SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                    SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                    Malicious:false
                    Reputation:unknown
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):0.011852361981932763
                    Encrypted:false
                    SSDEEP:3:MsHlDll:/H
                    MD5:0962291D6D367570BEE5454721C17E11
                    SHA1:59D10A893EF321A706A9255176761366115BEDCB
                    SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                    SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                    Malicious:false
                    Reputation:unknown
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:data
                    Category:modified
                    Size (bytes):8192
                    Entropy (8bit):0.012340643231932763
                    Encrypted:false
                    SSDEEP:3:MsGl3ll:/y
                    MD5:41876349CB12D6DB992F1309F22DF3F0
                    SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                    SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                    SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                    Malicious:false
                    Reputation:unknown
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                    Category:dropped
                    Size (bytes):262512
                    Entropy (8bit):9.553120663130604E-4
                    Encrypted:false
                    SSDEEP:3:LsNlQGt:Ls3
                    MD5:2CB33C36023AE8970F1A8FECC4D15840
                    SHA1:22763BCBDF379493B386FA113D00494A6651511B
                    SHA-256:B0D5B6F3459A06524561B89016AA57921ED4FE6C2E72A156E52EAE374D128250
                    SHA-512:54F3035DD23CA7E7F7EE93F30F53C642252D612BF6D711FFE0705B796F8C6089C04FB558561527181AA7EEFF37EDC466E10D1D35DF04A76FE9626AAF0DFA3DC2
                    Malicious:false
                    Reputation:unknown
                    Preview:.........................................*...z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\Del.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):4.622398838808078
                    Encrypted:false
                    SSDEEP:96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
                    MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                    SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                    SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                    SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 7%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                    C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):0.01057775872642915
                    Encrypted:false
                    SSDEEP:3:MsFl:/F
                    MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                    SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                    SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                    SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                    Malicious:false
                    Reputation:unknown
                    Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):0.012096502606932763
                    Encrypted:false
                    SSDEEP:3:MsEllllkXl:/M/6
                    MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                    SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                    SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                    SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                    Malicious:false
                    Reputation:unknown
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):0.011852361981932763
                    Encrypted:false
                    SSDEEP:3:MsHlDll:/H
                    MD5:0962291D6D367570BEE5454721C17E11
                    SHA1:59D10A893EF321A706A9255176761366115BEDCB
                    SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                    SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                    Malicious:false
                    Reputation:unknown
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8192
                    Entropy (8bit):0.012340643231932763
                    Encrypted:false
                    SSDEEP:3:MsGl3ll:/y
                    MD5:41876349CB12D6DB992F1309F22DF3F0
                    SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                    SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                    SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                    Malicious:false
                    Reputation:unknown
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

                    Download File
                    Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                    Category:dropped
                    Size (bytes):262512
                    Entropy (8bit):9.553120663130604E-4
                    Encrypted:false
                    SSDEEP:3:LsNlopa/:Ls3op
                    MD5:3FEC6BEC64ED7962401AADCBD0CEB2DC
                    SHA1:DD9F30C733CDBDB816D9FB5C1DAA750E56ECBF3A
                    SHA-256:9399F6ED1663E0D4C5B1EE6A4675DFB98647830722E95A74133E2C2A89CE4F60
                    SHA-512:5500BAFD4EAA6350A44AF1FE8DA52847127071117FD498D657265006DB4651C64AD3C5365FF5951ACB6A38D20E6170D2CAA30EEA4FD574AF55C126E4A4B66835
                    Malicious:false
                    Reputation:unknown
                    Preview:........................................P....z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):296448
                    Entropy (8bit):5.660420770467009
                    Encrypted:false
                    SSDEEP:3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
                    MD5:7A3502C1119795D35569535DE243B6FE
                    SHA1:DA0D16BC66614C7D273C47F321C5EE0652FB5575
                    SHA-256:B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
                    SHA-512:258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 3%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                    C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):462336
                    Entropy (8bit):6.803831500359682
                    Encrypted:false
                    SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
                    MD5:6DED8FCBF5F1D9E422B327CA51625E24
                    SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                    SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                    SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                    C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):574376
                    Entropy (8bit):5.8881470355864725
                    Encrypted:false
                    SSDEEP:12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
                    MD5:8F81C9520104B730C25D90A9DD511148
                    SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                    SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                    SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                    C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):561424
                    Entropy (8bit):4.606896607960262
                    Encrypted:false
                    SSDEEP:6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
                    MD5:928ED37DB61C1E98A2831C8C01F6157C
                    SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                    SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                    SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                    Malicious:false
                    Reputation:unknown
                    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                    C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Category:dropped
                    Size (bytes):215862
                    Entropy (8bit):5.849338245796311
                    Encrypted:false
                    SSDEEP:3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
                    MD5:9D21A25AA1B5985A2C8CBCE7F7007295
                    SHA1:86EBF56352B4DBB831FAE0CCA180B4ADD951240D
                    SHA-256:E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
                    SHA-512:EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):875520
                    Entropy (8bit):5.621956468920589
                    Encrypted:false
                    SSDEEP:12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
                    MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                    SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                    SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                    SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                    C:\Users\user\AppData\Roaming\GamePall\cef.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1946739
                    Entropy (8bit):7.989700491058983
                    Encrypted:false
                    SSDEEP:49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
                    MD5:96AD47D78A70B33158961585D9154ECC
                    SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                    SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                    SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                    Malicious:false
                    Reputation:unknown
                    Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                    C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):214119
                    Entropy (8bit):7.955451054538398
                    Encrypted:false
                    SSDEEP:6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
                    MD5:391F512173ECEC14EB5CE31299858DE1
                    SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                    SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                    SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                    Malicious:false
                    Reputation:unknown
                    Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                    C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):290001
                    Entropy (8bit):7.9670215100557735
                    Encrypted:false
                    SSDEEP:6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
                    MD5:BF59A047984EAFC79E40B0011ED4116D
                    SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                    SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                    SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                    Malicious:false
                    Reputation:unknown
                    Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                    C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1305142
                    Entropy (8bit):7.99463351416358
                    Encrypted:true
                    SSDEEP:24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
                    MD5:20DDA02AF522924E45223D7262D0E1ED
                    SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                    SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                    SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                    Malicious:false
                    Reputation:unknown
                    Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                    C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:current ar archive
                    Category:dropped
                    Size (bytes):87182312
                    Entropy (8bit):5.477474753748716
                    Encrypted:false
                    SSDEEP:196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
                    MD5:FFD456A85E341D430AFA0C07C1068538
                    SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                    SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                    SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                    Malicious:false
                    Reputation:unknown
                    Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                    C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):656926
                    Entropy (8bit):7.964275415195004
                    Encrypted:false
                    SSDEEP:
                    MD5:3404DD2B0E63D9418F755430336C7164
                    SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                    SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                    SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                    Malicious:false
                    Reputation:unknown
                    Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                    C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1017158
                    Entropy (8bit):7.951759131641406
                    Encrypted:false
                    SSDEEP:
                    MD5:3FBF52922588A52245DC927BCC36DBB3
                    SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                    SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                    SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                    Malicious:false
                    Reputation:unknown
                    Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                    C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1174528
                    Entropy (8bit):6.475826085865088
                    Encrypted:false
                    SSDEEP:
                    MD5:207AC4BE98A6A5A72BE027E0A9904462
                    SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                    SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                    SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2106216
                    Entropy (8bit):6.4563314852745375
                    Encrypted:false
                    SSDEEP:
                    MD5:1C9B45E87528B8BB8CFA884EA0099A85
                    SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                    SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                    SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 3%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4127200
                    Entropy (8bit):6.577665867424953
                    Encrypted:false
                    SSDEEP:
                    MD5:3B4647BCB9FEB591C2C05D1A606ED988
                    SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                    SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                    SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2205743
                    Entropy (8bit):7.923318114432295
                    Encrypted:false
                    SSDEEP:
                    MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                    SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                    SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                    SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                    Malicious:false
                    Reputation:unknown
                    Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                    C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):10717392
                    Entropy (8bit):6.282534560973548
                    Encrypted:false
                    SSDEEP:
                    MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                    SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                    SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                    SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                    Malicious:false
                    Reputation:unknown
                    Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                    C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):377856
                    Entropy (8bit):6.602916265542373
                    Encrypted:false
                    SSDEEP:
                    MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                    SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                    SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                    SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):6635008
                    Entropy (8bit):6.832077162910607
                    Encrypted:false
                    SSDEEP:
                    MD5:63988D35D7AB96823B5403BE3C110F7F
                    SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                    SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                    SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\libcef.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):176517632
                    Entropy (8bit):7.025874989859836
                    Encrypted:false
                    SSDEEP:
                    MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                    SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                    SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                    SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\libcef.lib

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:current ar archive
                    Category:dropped
                    Size (bytes):40258
                    Entropy (8bit):4.547436244061504
                    Encrypted:false
                    SSDEEP:
                    MD5:310744A0E10BD9C2C6F50C525E4447F9
                    SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                    SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                    SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                    Malicious:false
                    Reputation:unknown
                    Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                    C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):470498
                    Entropy (8bit):5.409080468053459
                    Encrypted:false
                    SSDEEP:
                    MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                    SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                    SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                    SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                    Malicious:false
                    Reputation:unknown
                    Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                    C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):763010
                    Entropy (8bit):4.909167677028143
                    Encrypted:false
                    SSDEEP:
                    MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                    SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                    SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                    SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                    Malicious:false
                    Reputation:unknown
                    Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                    C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):838413
                    Entropy (8bit):4.920788245468804
                    Encrypted:false
                    SSDEEP:
                    MD5:C70B71B05A8CA5B8243C951B96D67453
                    SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                    SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                    SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                    C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):869469
                    Entropy (8bit):4.677916300869337
                    Encrypted:false
                    SSDEEP:
                    MD5:12A9400F521EC1D3975257B2061F5790
                    SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                    SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                    SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                    Malicious:false
                    Reputation:unknown
                    Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                    C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1118348
                    Entropy (8bit):4.2989199535081895
                    Encrypted:false
                    SSDEEP:
                    MD5:89A24AF99D5592AB8964B701F13E1706
                    SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                    SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                    SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                    Malicious:false
                    Reputation:unknown
                    Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                    C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):537139
                    Entropy (8bit):5.397688491907634
                    Encrypted:false
                    SSDEEP:
                    MD5:37B54705BD9620E69E7E9305CDFAC7AB
                    SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                    SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                    SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                    Malicious:false
                    Reputation:unknown
                    Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                    C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):545011
                    Entropy (8bit):5.844949195905198
                    Encrypted:false
                    SSDEEP:
                    MD5:65A2C2A73232AB1073E44E0FB6310A5F
                    SHA1:F3158AA527538819C93F57E2C778198A94416C98
                    SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                    SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                    C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):496165
                    Entropy (8bit):5.446061543230436
                    Encrypted:false
                    SSDEEP:
                    MD5:A44EC6AAA456A6129FD820CA75E968BE
                    SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                    SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                    SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                    Malicious:false
                    Reputation:unknown
                    Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                    C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):534726
                    Entropy (8bit):5.49306456316532
                    Encrypted:false
                    SSDEEP:
                    MD5:49CA708EBB7A4913C36F7461F094886B
                    SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                    SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                    SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                    C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):950999
                    Entropy (8bit):4.76377388695373
                    Encrypted:false
                    SSDEEP:
                    MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                    SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                    SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                    SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                    Malicious:false
                    Reputation:unknown
                    Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                    C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):430665
                    Entropy (8bit):5.517246002357965
                    Encrypted:false
                    SSDEEP:
                    MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                    SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                    SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                    SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                    C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):434598
                    Entropy (8bit):5.509004494756697
                    Encrypted:false
                    SSDEEP:
                    MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                    SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                    SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                    SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                    C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):524728
                    Entropy (8bit):5.377464936206393
                    Encrypted:false
                    SSDEEP:
                    MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                    SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                    SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                    SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                    Malicious:false
                    Reputation:unknown
                    Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                    C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):523181
                    Entropy (8bit):5.356449408331279
                    Encrypted:false
                    SSDEEP:
                    MD5:3D1720FE1D801D54420438A54CBE1547
                    SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                    SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                    SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                    Malicious:false
                    Reputation:unknown
                    Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                    C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):475733
                    Entropy (8bit):5.456553040437113
                    Encrypted:false
                    SSDEEP:
                    MD5:C00D66D3FD4FD9D777949E2F115F11FB
                    SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                    SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                    SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                    Malicious:false
                    Reputation:unknown
                    Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                    C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):773397
                    Entropy (8bit):5.04618630633187
                    Encrypted:false
                    SSDEEP:
                    MD5:C998140F7970B81117B073A87430A748
                    SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                    SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                    SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                    C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):483378
                    Entropy (8bit):5.428549632880935
                    Encrypted:false
                    SSDEEP:
                    MD5:1CFD31A6B740D95E4D5D53432743EBF1
                    SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                    SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                    SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                    C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):546749
                    Entropy (8bit):5.197094281578282
                    Encrypted:false
                    SSDEEP:
                    MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                    SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                    SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                    SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                    C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):568277
                    Entropy (8bit):5.380723339968972
                    Encrypted:false
                    SSDEEP:
                    MD5:D185162DF4CAC9DCE7D70926099D1CF1
                    SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                    SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                    SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                    C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1103776
                    Entropy (8bit):4.336526106451521
                    Encrypted:false
                    SSDEEP:
                    MD5:44F704DB17F0203FA5195DC4572C946C
                    SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                    SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                    SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                    Malicious:false
                    Reputation:unknown
                    Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                    C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):681555
                    Entropy (8bit):4.658620623200349
                    Encrypted:false
                    SSDEEP:
                    MD5:E75086A24ECAA25CD18D547AB041C65A
                    SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                    SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                    SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                    C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1167065
                    Entropy (8bit):4.308980564019689
                    Encrypted:false
                    SSDEEP:
                    MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                    SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                    SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                    SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                    C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):526575
                    Entropy (8bit):5.518614920030561
                    Encrypted:false
                    SSDEEP:
                    MD5:0BD2F9847C151F9A6FC0D59A0074770C
                    SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                    SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                    SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                    Malicious:false
                    Reputation:unknown
                    Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                    C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):566819
                    Entropy (8bit):5.6387082185760935
                    Encrypted:false
                    SSDEEP:
                    MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                    SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                    SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                    SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                    C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):466959
                    Entropy (8bit):5.379636778781472
                    Encrypted:false
                    SSDEEP:
                    MD5:1466C484179769A2263542E943742E59
                    SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                    SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                    SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                    Malicious:false
                    Reputation:unknown
                    Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                    C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):522800
                    Entropy (8bit):5.284113957149261
                    Encrypted:false
                    SSDEEP:
                    MD5:7767A70358D0AE6D408FF979DF9B2CD4
                    SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                    SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                    SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                    Malicious:false
                    Reputation:unknown
                    Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                    C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):634636
                    Entropy (8bit):5.718480148171718
                    Encrypted:false
                    SSDEEP:
                    MD5:4A4AF69546DCF65F2D722A574E221BEA
                    SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                    SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                    SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                    Malicious:false
                    Reputation:unknown
                    Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                    C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1256908
                    Entropy (8bit):4.247594585839553
                    Encrypted:false
                    SSDEEP:
                    MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                    SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                    SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                    SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                    Malicious:false
                    Reputation:unknown
                    Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                    C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):532715
                    Entropy (8bit):6.0824169765918725
                    Encrypted:false
                    SSDEEP:
                    MD5:5FD9942F57FFC499481947DB0C3FDFA7
                    SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                    SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                    SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                    Malicious:false
                    Reputation:unknown
                    Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                    C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):573015
                    Entropy (8bit):5.63016577624216
                    Encrypted:false
                    SSDEEP:
                    MD5:8745B87D09D9ECC1112C60F5DD934034
                    SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                    SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                    SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                    Malicious:false
                    Reputation:unknown
                    Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                    C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):570683
                    Entropy (8bit):5.624052036286866
                    Encrypted:false
                    SSDEEP:
                    MD5:E16B0B814074ACBD3A72AF677AC7BE84
                    SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                    SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                    SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                    Malicious:false
                    Reputation:unknown
                    Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                    C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1307271
                    Entropy (8bit):4.279854356980692
                    Encrypted:false
                    SSDEEP:
                    MD5:309E068B4E15157486D095301370B234
                    SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                    SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                    SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                    Malicious:false
                    Reputation:unknown
                    Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                    C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1075591
                    Entropy (8bit):4.313573412022857
                    Encrypted:false
                    SSDEEP:
                    MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                    SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                    SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                    SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                    C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):489457
                    Entropy (8bit):5.250540323172458
                    Encrypted:false
                    SSDEEP:
                    MD5:A1253E64F8910162B15B56883798E3C0
                    SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                    SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                    SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                    Malicious:false
                    Reputation:unknown
                    Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                    C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):476208
                    Entropy (8bit):5.4272499712806965
                    Encrypted:false
                    SSDEEP:
                    MD5:622ED80836E0EF3F949ED8A379CBE6DF
                    SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                    SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                    SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                    Malicious:false
                    Reputation:unknown
                    Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                    C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):491139
                    Entropy (8bit):5.362822162782947
                    Encrypted:false
                    SSDEEP:
                    MD5:C8378A81039DB6943F97286CC8C629F1
                    SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                    SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                    SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                    C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):550453
                    Entropy (8bit):5.757462673735937
                    Encrypted:false
                    SSDEEP:
                    MD5:80C5893068C1D6CE9AEF23525ECAD83C
                    SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                    SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                    SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                    Malicious:false
                    Reputation:unknown
                    Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                    C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):516256
                    Entropy (8bit):5.426294949123783
                    Encrypted:false
                    SSDEEP:
                    MD5:3BA426E91C34E1C33F13912974835F7D
                    SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                    SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                    SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                    Malicious:false
                    Reputation:unknown
                    Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                    C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):518861
                    Entropy (8bit):5.4029194034596575
                    Encrypted:false
                    SSDEEP:
                    MD5:4D7D724BE592BD0280ED28388EAA8D43
                    SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                    SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                    SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                    Malicious:false
                    Reputation:unknown
                    Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                    C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):537125
                    Entropy (8bit):5.4566742297332596
                    Encrypted:false
                    SSDEEP:
                    MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                    SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                    SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                    SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                    Malicious:false
                    Reputation:unknown
                    Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                    C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):878725
                    Entropy (8bit):4.848685093578222
                    Encrypted:false
                    SSDEEP:
                    MD5:3A3D0D865A78399306924D3ED058274E
                    SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                    SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                    SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                    C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):553886
                    Entropy (8bit):5.812150703289796
                    Encrypted:false
                    SSDEEP:
                    MD5:A9656846F66A36BB399B65F7B702B47D
                    SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                    SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                    SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                    Malicious:false
                    Reputation:unknown
                    Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                    C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):532410
                    Entropy (8bit):5.486224954097277
                    Encrypted:false
                    SSDEEP:
                    MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                    SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                    SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                    SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                    C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):818089
                    Entropy (8bit):4.779985663253385
                    Encrypted:false
                    SSDEEP:
                    MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                    SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                    SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                    SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                    Malicious:false
                    Reputation:unknown
                    Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                    C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):479512
                    Entropy (8bit):5.541069475898216
                    Encrypted:false
                    SSDEEP:
                    MD5:09592A0D35100CD9707C278C9FFC7618
                    SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                    SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                    SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                    C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):504856
                    Entropy (8bit):5.34516819438501
                    Encrypted:false
                    SSDEEP:
                    MD5:9E038A0D222055FED6F1883992DCA5A8
                    SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                    SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                    SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                    Malicious:false
                    Reputation:unknown
                    Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                    C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1298313
                    Entropy (8bit):4.058495187693592
                    Encrypted:false
                    SSDEEP:
                    MD5:36104CB0D5E26E0BBB313E529C14F4B4
                    SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                    SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                    SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                    Malicious:false
                    Reputation:unknown
                    Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                    C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1199612
                    Entropy (8bit):4.314031920337284
                    Encrypted:false
                    SSDEEP:
                    MD5:98714389748A98ECC536CD2F17859BDF
                    SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                    SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                    SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                    Malicious:false
                    Reputation:unknown
                    Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                    C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1008989
                    Entropy (8bit):4.356501290091745
                    Encrypted:false
                    SSDEEP:
                    MD5:56F29DE3465795E781A52FCF736BBE08
                    SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                    SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                    SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                    Malicious:false
                    Reputation:unknown
                    Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                    C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):515329
                    Entropy (8bit):5.616482888977033
                    Encrypted:false
                    SSDEEP:
                    MD5:46CA9EE922C3C175DE466066F40B29CE
                    SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                    SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                    SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                    Malicious:false
                    Reputation:unknown
                    Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                    C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):876131
                    Entropy (8bit):4.88404350774067
                    Encrypted:false
                    SSDEEP:
                    MD5:1365ABDD1EFB44720EA3975E4A472530
                    SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                    SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                    SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                    C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):765853
                    Entropy (8bit):5.17061834928747
                    Encrypted:false
                    SSDEEP:
                    MD5:3FED15E64BEAFBA75DE61B08A45AE106
                    SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                    SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                    SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                    Malicious:false
                    Reputation:unknown
                    Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                    C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):609259
                    Entropy (8bit):5.796202390024141
                    Encrypted:false
                    SSDEEP:
                    MD5:CD741C24AF7597E0DC11069D3AC324E0
                    SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                    SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                    SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                    C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):441207
                    Entropy (8bit):6.685712707138377
                    Encrypted:false
                    SSDEEP:
                    MD5:99E6ACFB46923C4F8B29058E9EE6166B
                    SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                    SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                    SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                    C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):439630
                    Entropy (8bit):6.6906570508767995
                    Encrypted:false
                    SSDEEP:
                    MD5:BB7C995F257B9125457381BB01856D72
                    SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                    SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                    SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                    Malicious:false
                    Reputation:unknown
                    Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                    C:\Users\user\AppData\Roaming\GamePall\log4net.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):275968
                    Entropy (8bit):5.778490068583466
                    Encrypted:false
                    SSDEEP:
                    MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                    SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                    SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                    SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                    C:\Users\user\AppData\Roaming\GamePall\log4net.xml

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1547797
                    Entropy (8bit):4.370092880615517
                    Encrypted:false
                    SSDEEP:
                    MD5:32AB4E0A9A82245EE3B474EF811F558F
                    SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                    SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                    SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                    Malicious:false
                    Reputation:unknown
                    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                    C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):342741
                    Entropy (8bit):5.496697631795104
                    Encrypted:false
                    SSDEEP:
                    MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                    SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                    SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                    SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                    Malicious:false
                    Reputation:unknown
                    Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                    C:\Users\user\AppData\Roaming\GamePall\resources.pak

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8226870
                    Entropy (8bit):7.996842728494533
                    Encrypted:true
                    SSDEEP:
                    MD5:F7EC58AEA756F3FD8A055AC582103A78
                    SHA1:086B63691F5E5375A537E99E062345F56512A22C
                    SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                    SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                    Malicious:false
                    Reputation:unknown
                    Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                    C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):276319
                    Entropy (8bit):4.242318669799302
                    Encrypted:false
                    SSDEEP:
                    MD5:8234983533FA47D2A1D7710FF8274299
                    SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                    SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                    SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                    Malicious:false
                    Reputation:unknown
                    Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\start.bat

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.8731406795131327
                    Encrypted:false
                    SSDEEP:
                    MD5:2C66F3C2190A84FAFD4449DAF6440EAC
                    SHA1:7B9E4C94329FE26C34E63AB8336227FD5EB553E9
                    SHA-256:58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
                    SHA-512:62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
                    Malicious:false
                    Reputation:unknown
                    Preview:start GamePall.exe OuWe5kl

                    C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:MSVC program database ver 7.00, 512*4023 bytes
                    Category:dropped
                    Size (bytes):2059776
                    Entropy (8bit):4.067542396670122
                    Encrypted:false
                    SSDEEP:
                    MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                    SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                    SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                    SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                    Malicious:false
                    Reputation:unknown
                    Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):346624
                    Entropy (8bit):6.54104466243173
                    Encrypted:false
                    SSDEEP:
                    MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                    SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                    SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                    SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2445312
                    Entropy (8bit):6.750207745422387
                    Encrypted:false
                    SSDEEP:
                    MD5:334C3157E63A34B22CCE25A44A04835F
                    SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                    SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                    SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):631017
                    Entropy (8bit):5.144793130466209
                    Encrypted:false
                    SSDEEP:
                    MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                    SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                    SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                    SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                    Malicious:false
                    Reputation:unknown
                    Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4400640
                    Entropy (8bit):6.667314807988382
                    Encrypted:false
                    SSDEEP:
                    MD5:7F913E31D00082338F073EF60D67B335
                    SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                    SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                    SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):106
                    Entropy (8bit):4.724752649036734
                    Encrypted:false
                    SSDEEP:
                    MD5:8642DD3A87E2DE6E991FAE08458E302B
                    SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                    SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                    SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                    Malicious:false
                    Reputation:unknown
                    Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                    C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):826368
                    Entropy (8bit):6.78646032943732
                    Encrypted:false
                    SSDEEP:
                    MD5:A031EB19C61942A26EF74500AD4B42DF
                    SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                    SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                    SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\setup.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):211456
                    Entropy (8bit):6.566524833521835
                    Encrypted:false
                    SSDEEP:
                    MD5:6D7FD214164C858BBCF4AA050C114E8C
                    SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                    SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                    SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\etvjrtf

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):41369
                    Entropy (8bit):6.598692343310211
                    Encrypted:false
                    SSDEEP:
                    MD5:C280B435AE8E9BCF43B221DF43E9FC65
                    SHA1:5185A39475DE9E0B98F1FABA04A9E3BF9E3D5D76
                    SHA-256:FA39D4DBBF0828F381CF30ADFB6B5F3C207E86D22ECCBFCC4D4ECD90573E4B6B
                    SHA-512:1AB923C51AF946EA21FEF2056618B4180AE9933EE9BEFE100D61E6039CFC8A959C9E8ECCCF0EDBB6D23C545F8F81336C5555EB8694BB0C89B600A8AA2F7DD878
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 61%
                    Reputation:unknown
                    Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L..../|f...............H............@2............@..................................................................................................................................................................................................text............................... ...................................................................................................o..).I....C....o_..ri.#.U..>..%..8..iv..BQ,.$....kl.%*J.....|.P....6.F...t.c;.f."......0.....h.X%]...T$.r.....3..{K...].jk?..~.E..CS.W..je<.r5;......P3.6~.{.......TSz.\.t..K~...y.*.......).-Y..m...... ....<6..]ps....'#.=xnAL.q...2k.I../0.k..........|...n..6;.y..m.......p..HIh......c.PL...e@.S.i}eaYHv.. {.o6.eB..CBX$.]..w17.X._.....+& /W.=..,.....M.l.XX.....c`.~t..........sl:haOV6.?.`.....<.z..PS..._.X.<.t.u....OV..|$....t.u........4$.....u.t........t

                    C:\Users\user\AppData\Roaming\etvjrtf:Zone.Identifier

                    Download File
                    Process:C:\Windows\explorer.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Reputation:unknown
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.598692343310211
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • VXD Driver (31/22) 0.00%
                    File name:37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe
                    File size:41'369 bytes
                    MD5:c280b435ae8e9bcf43b221df43e9fc65
                    SHA1:5185a39475de9e0b98f1faba04a9e3bf9e3d5d76
                    SHA256:fa39d4dbbf0828f381cf30adfb6b5f3c207e86d22eccbfcc4d4ecd90573e4b6b
                    SHA512:1ab923c51af946ea21fef2056618b4180ae9933ee9befe100d61e6039cfc8a959c9e8ecccf0edbb6d23c545f8f81336c5555eb8694bb0c89b600a8aa2f7dd878
                    SSDEEP:768:Z/8mWE+vcY96DhR8ZSDc28hO3c3VgDeoVZnE:2a+0Y96DhR8658533s
                    TLSH:F003E0910630D86FFAAD143214CFC72AE333A6F2260B176545751AE62446EE6E17373D
                    File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L..../|f...............H............@2............@........................................................................

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0x403240
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    DLL Characteristics:
                    Time Stamp:0x667C2F99 [Wed Jun 26 15:11:21 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:1
                    OS Version Minor:0
                    File Version Major:1
                    File Version Minor:0
                    Subsystem Version Major:1
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    call 00007FB1ACB29605h
                    jne 00007FB1ACB29606h
                    je 00007FB1ACB29604h
                    push 0000005Bh
                    jmp 00007FB1ACB2960Ch
                    add al, 81h
                    jmp 00007FB1ACB29647h
                    xor al, byte ptr [eax]
                    add bl, ch
                    add eax, 04F5EB02h
                    add dh, byte ptr [eax+ecx+75h]
                    push es
                    int3
                    mov esi, 07B12E31h
                    push 00000030h
                    jne 00007FB1ACB29607h
                    je 00007FB1ACB29605h
                    push FFFFFF9Fh
                    add esp, 04h
                    mov edx, dword ptr [esp-04h]
                    jmp 00007FB1ACB29608h
                    add byte ptr [ecx], ch
                    shr bl, 00000005h
                    and bl, ch
                    stc
                    add byte ptr [eax], ah
                    jmp 00007FB1ACB29607h
                    les edx, edi
                    and bh, dh
                    and ah, byte ptr [ebx+eax+02h]
                    je 00007FB1ACB29609h
                    jne 00007FB1ACB29607h
                    cmpsd
                    add al, 27h
                    xor eax, dword ptr [ebp+00A4B0FFh]
                    add byte ptr [eax], al
                    jne 00007FB1ACB29607h
                    je 00007FB1ACB29605h
                    xor byte ptr [esi-17h], ah
                    pop ecx
                    jmp 00007FB1ACB29608h
                    cmc
                    and bh, dh
                    and dl, byte ptr [eax+06F980A0h]
                    jl 00007FB1ACB29672h
                    jmp 00007FB1ACB2960Ch
                    xor byte ptr [esi-48h], cl
                    sbb dword ptr [eax+5Eh], edx
                    jmp 00007FB1ACB29607h
                    out dx, al
                    and bl, ch
                    clc
                    stosd
                    jmp 00007FB1ACB29608h
                    cdq
                    and bh, dh
                    and cl, byte ptr [eax+48B60F88h]
                    add ch, bl
                    add eax, F7208C8Ch
                    and al, byte ptr [ebx+10EB01C1h]
                    xchg eax, ebx
                    inc esi
                    sti
                    mov eax, dword ptr [ecx+51h]
                    mov eax, dword ptr [esp]
                    add esp, 04h
                    jmp 00007FB1ACB29607h
                    jmp 00007FB19BA681B9h
                    jmp 00007FB1ACB29617h
                    cmpsb
                    cmpsd
                    shl byte ptr [ecx], 1
                    mov ah, 7Bh
                    push 000031F1h
                    mov ecx, dword ptr [esp]
                    add esp, 04h
                    jmp 00007FB1ACB29607h
                    xor ebx, dword ptr [eax]
                    jmp 00007FB1ACB295F1h
                    inc edi
                    jmp 00007FB1ACB29603h
                    dec esi

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x91800x92007d99401ab2526312d8e220cfa00a4feaFalse0.7697185359589042data7.062241098302679IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Network Behavior

                    Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:19:31:50
                    Start date:02/07/2024
                    Path:C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe"
                    Imagebase:0x400000
                    File size:41'369 bytes
                    MD5 hash:C280B435AE8E9BCF43B221DF43E9FC65
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:19:31:56
                    Start date:02/07/2024
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff72b770000
                    File size:5'141'208 bytes
                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:3
                    Start time:19:32:15
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\etvjrtf
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\etvjrtf
                    Imagebase:0x400000
                    File size:41'369 bytes
                    MD5 hash:C280B435AE8E9BCF43B221DF43E9FC65
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 61%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:6
                    Start time:19:32:27
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Local\Temp\DBD3.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\DBD3.exe
                    Imagebase:0x620000
                    File size:6'642'176 bytes
                    MD5 hash:BD2EAC64CBDED877608468D86786594A
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2024545560.000000000169D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2022920516.000000000169D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 50%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:7
                    Start time:19:32:35
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Local\Temp\FD47.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\FD47.exe
                    Imagebase:0x400000
                    File size:293'869 bytes
                    MD5 hash:60172CA946DE57C3529E9F05CC502870
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 21%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:19:32:41
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Local\Temp\1B6E.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\1B6E.exe
                    Imagebase:0xa20000
                    File size:578'048 bytes
                    MD5 hash:DA4B6F39FC024D2383D4BFE7F67F1EE1
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 16%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:11
                    Start time:19:33:55
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Local\Temp\setup.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                    Imagebase:0x400000
                    File size:107'232'830 bytes
                    MD5 hash:FF2293FBFF53F4BD2BFF91780FABFD60
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 3%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:12
                    Start time:19:34:25
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Imagebase:0x3b0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 3%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:14
                    Start time:19:34:30
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                    Imagebase:0x9b0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:15
                    Start time:19:34:30
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Imagebase:0x450000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:16
                    Start time:19:34:30
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                    Imagebase:0xc70000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:17
                    Start time:19:34:30
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Imagebase:0xd70000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:18
                    Start time:19:34:30
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                    Imagebase:0x800000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:19
                    Start time:19:34:30
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xc50000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:20
                    Start time:19:34:31
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xb30000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:21
                    Start time:19:34:31
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x1e0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:22
                    Start time:19:34:32
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xf80000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:23
                    Start time:19:34:34
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xff0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:24
                    Start time:19:34:34
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x30000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:25
                    Start time:19:34:34
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x4d0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:26
                    Start time:19:34:35
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xe90000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:27
                    Start time:19:34:35
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xa20000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:28
                    Start time:19:34:36
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x3b0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:29
                    Start time:19:34:36
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x60000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:30
                    Start time:19:34:36
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x9d0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:31
                    Start time:19:34:37
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x710000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:32
                    Start time:19:34:38
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x690000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:false

                    General

                    Target ID:33
                    Start time:19:34:38
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xcd0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:34
                    Start time:19:34:38
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xc40000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:35
                    Start time:19:34:39
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x9a0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:36
                    Start time:19:34:39
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xc90000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:37
                    Start time:19:34:39
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xb30000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:38
                    Start time:19:34:40
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xc0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:39
                    Start time:19:34:40
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0x1c0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:40
                    Start time:19:34:40
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                    Imagebase:0xcf0000
                    File size:296'448 bytes
                    MD5 hash:7A3502C1119795D35569535DE243B6FE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:6.9%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:74.3%
                      Total number of Nodes:70
                      Total number of Limit Nodes:1
                      execution_graph 2277 401543 2278 401546 2277->2278 2279 4015e6 NtDuplicateObject 2278->2279 2288 401702 2278->2288 2280 401603 NtCreateSection 2279->2280 2279->2288 2281 401683 NtCreateSection 2280->2281 2282 401629 NtMapViewOfSection 2280->2282 2283 4016af 2281->2283 2281->2288 2282->2281 2284 40164c NtMapViewOfSection 2282->2284 2285 4016b9 NtMapViewOfSection 2283->2285 2283->2288 2284->2281 2286 40166a 2284->2286 2287 4016e0 NtMapViewOfSection 2285->2287 2285->2288 2286->2281 2287->2288 2301 402e63 2302 402e67 2301->2302 2303 402f44 2302->2303 2304 401918 8 API calls 2302->2304 2304->2303 2341 401924 2342 401929 2341->2342 2343 40195e Sleep 2342->2343 2344 401979 2343->2344 2345 401538 7 API calls 2344->2345 2346 40198a 2344->2346 2345->2346 2267 402fe9 2268 403140 2267->2268 2269 403013 2267->2269 2269->2268 2270 4030ce RtlCreateUserThread NtTerminateProcess 2269->2270 2270->2268 2363 401496 2364 401447 2363->2364 2364->2363 2365 4015e6 NtDuplicateObject 2364->2365 2374 40152f 2364->2374 2366 401603 NtCreateSection 2365->2366 2365->2374 2367 401683 NtCreateSection 2366->2367 2368 401629 NtMapViewOfSection 2366->2368 2369 4016af 2367->2369 2367->2374 2368->2367 2370 40164c NtMapViewOfSection 2368->2370 2371 4016b9 NtMapViewOfSection 2369->2371 2369->2374 2370->2367 2372 40166a 2370->2372 2373 4016e0 NtMapViewOfSection 2371->2373 2371->2374 2372->2367 2373->2374 2245 402eb7 2246 402eb8 2245->2246 2248 402f44 2246->2248 2249 401918 2246->2249 2250 401929 2249->2250 2251 40195e Sleep 2250->2251 2252 401979 2251->2252 2254 40198a 2252->2254 2255 401538 2252->2255 2254->2248 2256 401539 2255->2256 2257 4015e6 NtDuplicateObject 2256->2257 2264 401702 2256->2264 2258 401603 NtCreateSection 2257->2258 2257->2264 2259 401683 NtCreateSection 2258->2259 2260 401629 NtMapViewOfSection 2258->2260 2261 4016af 2259->2261 2259->2264 2260->2259 2262 40164c NtMapViewOfSection 2260->2262 2263 4016b9 NtMapViewOfSection 2261->2263 2261->2264 2262->2259 2265 40166a 2262->2265 2263->2264 2266 4016e0 NtMapViewOfSection 2263->2266 2264->2254 2265->2259 2266->2264 2347 4014de 2348 401447 2347->2348 2349 4015e6 NtDuplicateObject 2348->2349 2356 40152f 2348->2356 2350 401603 NtCreateSection 2349->2350 2349->2356 2351 401683 NtCreateSection 2350->2351 2352 401629 NtMapViewOfSection 2350->2352 2353 4016af 2351->2353 2351->2356 2352->2351 2354 40164c NtMapViewOfSection 2352->2354 2355 4016b9 NtMapViewOfSection 2353->2355 2353->2356 2354->2351 2357 40166a 2354->2357 2355->2356 2358 4016e0 NtMapViewOfSection 2355->2358 2357->2351 2358->2356

                      Executed Functions

                      Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 401496-4014a5 1 4014a7 0->1 2 40151b-40152d 0->2 4 4014a9-4014b5 1->4 5 4014cf 1->5 10 4014ba 2->10 11 40152f-401535 2->11 7 401471-401472 4->7 8 4014b7-4014b8 4->8 9 4014d6 5->9 13 401473-401484 7->13 8->10 12 401449 8->12 9->9 14 4014d8 9->14 17 401447-401456 10->17 18 4014bc-4014c3 10->18 15 40147b-40148e call 4011b7 12->15 16 40144b 12->16 13->15 14->2 15->0 21 40144c-401470 16->21 17->21 22 4014c5-4014c8 18->22 23 401539-401567 18->23 21->13 22->5 34 401558-401563 23->34 35 40156a-401590 call 4011b7 23->35 34->35 42 401592 35->42 43 401595-40159a 35->43 42->43 45 4015a0-4015b1 43->45 46 4018b8-4018c0 43->46 50 4018b6-4018c5 45->50 51 4015b7-4015e0 45->51 46->43 54 4018da 50->54 55 4018cb-4018d6 50->55 51->50 59 4015e6-4015fd NtDuplicateObject 51->59 54->55 56 4018dd-401915 call 4011b7 54->56 55->56 59->50 62 401603-401627 NtCreateSection 59->62 64 401683-4016a9 NtCreateSection 62->64 65 401629-40164a NtMapViewOfSection 62->65 64->50 66 4016af-4016b3 64->66 65->64 67 40164c-401668 NtMapViewOfSection 65->67 66->50 69 4016b9-4016da NtMapViewOfSection 66->69 67->64 71 40166a-401680 67->71 69->50 72 4016e0-4016fc NtMapViewOfSection 69->72 71->64 72->50 74 401702 call 401707 72->74
                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectView
                      • String ID:
                      • API String ID: 1652636561-0
                      • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                      • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                      • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                      • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                      Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 78 401538-401567 84 401558-401563 78->84 85 40156a-401590 call 4011b7 78->85 84->85 92 401592 85->92 93 401595-40159a 85->93 92->93 95 4015a0-4015b1 93->95 96 4018b8-4018c0 93->96 100 4018b6-4018c5 95->100 101 4015b7-4015e0 95->101 96->93 104 4018da 100->104 105 4018cb-4018d6 100->105 101->100 109 4015e6-4015fd NtDuplicateObject 101->109 104->105 106 4018dd-401915 call 4011b7 104->106 105->106 109->100 112 401603-401627 NtCreateSection 109->112 114 401683-4016a9 NtCreateSection 112->114 115 401629-40164a NtMapViewOfSection 112->115 114->100 116 4016af-4016b3 114->116 115->114 117 40164c-401668 NtMapViewOfSection 115->117 116->100 119 4016b9-4016da NtMapViewOfSection 116->119 117->114 121 40166a-401680 117->121 119->100 122 4016e0-4016fc NtMapViewOfSection 119->122 121->114 122->100 124 401702 call 401707 122->124
                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                      • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                      • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                      • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                      Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 128 4014de-4014ed 129 401563 128->129 130 4014ef 128->130 131 40156a-401590 call 4011b7 129->131 132 401551-401552 130->132 133 4014f1-401502 130->133 153 401592 131->153 154 401595-40159a 131->154 132->129 135 401504-401516 133->135 136 40151d-40152d 133->136 139 40151b-40151c 135->139 140 4014ba 136->140 141 40152f-401535 136->141 139->136 143 401447-401456 140->143 144 4014bc-4014c3 140->144 151 40144c-401470 143->151 147 4014c5-4014c8 144->147 148 401539-401567 144->148 152 4014cf 147->152 148->131 166 401558-401560 148->166 167 401473-401484 151->167 157 4014d6 152->157 153->154 164 4015a0-4015b1 154->164 165 4018b8-4018c0 154->165 157->157 160 4014d8 157->160 160->139 173 4018b6-4018c5 164->173 174 4015b7-4015e0 164->174 165->154 166->129 171 40147b-4014a5 call 4011b7 167->171 171->139 184 4014a7 171->184 180 4018da 173->180 181 4018cb-4018d6 173->181 174->173 188 4015e6-4015fd NtDuplicateObject 174->188 180->181 183 4018dd-401915 call 4011b7 180->183 181->183 184->152 187 4014a9-4014b5 184->187 190 401471-401472 187->190 191 4014b7-4014b8 187->191 188->173 193 401603-401627 NtCreateSection 188->193 190->167 191->140 194 401449 191->194 196 401683-4016a9 NtCreateSection 193->196 197 401629-40164a NtMapViewOfSection 193->197 194->171 199 40144b 194->199 196->173 198 4016af-4016b3 196->198 197->196 200 40164c-401668 NtMapViewOfSection 197->200 198->173 202 4016b9-4016da NtMapViewOfSection 198->202 199->151 200->196 204 40166a-401680 200->204 202->173 205 4016e0-4016fc NtMapViewOfSection 202->205 204->196 205->173 207 401702 call 401707 205->207
                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectView
                      • String ID:
                      • API String ID: 1652636561-0
                      • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                      • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                      • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                      • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                      Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 211 401543-401544 212 401546-401567 211->212 213 4015af-4015b1 211->213 220 401558-401563 212->220 221 40156a-401590 call 4011b7 212->221 215 4018b6-4018c5 213->215 216 4015b7-4015e0 213->216 222 4018da 215->222 223 4018cb-4018d6 215->223 216->215 231 4015e6-4015fd NtDuplicateObject 216->231 220->221 241 401592 221->241 242 401595-40159a 221->242 222->223 226 4018dd-401915 call 4011b7 222->226 223->226 231->215 235 401603-401627 NtCreateSection 231->235 238 401683-4016a9 NtCreateSection 235->238 239 401629-40164a NtMapViewOfSection 235->239 238->215 240 4016af-4016b3 238->240 239->238 243 40164c-401668 NtMapViewOfSection 239->243 240->215 245 4016b9-4016da NtMapViewOfSection 240->245 241->242 254 4015a0-4015ad 242->254 255 4018b8-4018c0 242->255 243->238 247 40166a-401680 243->247 245->215 248 4016e0-4016fc NtMapViewOfSection 245->248 247->238 248->215 251 401702 call 401707 248->251 254->213 255->242
                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                      • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                      • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                      • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                      Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 259 401565-401590 call 4011b7 264 401592 259->264 265 401595-40159a 259->265 264->265 267 4015a0-4015b1 265->267 268 4018b8-4018c0 265->268 272 4018b6-4018c5 267->272 273 4015b7-4015e0 267->273 268->265 276 4018da 272->276 277 4018cb-4018d6 272->277 273->272 281 4015e6-4015fd NtDuplicateObject 273->281 276->277 278 4018dd-401915 call 4011b7 276->278 277->278 281->272 284 401603-401627 NtCreateSection 281->284 286 401683-4016a9 NtCreateSection 284->286 287 401629-40164a NtMapViewOfSection 284->287 286->272 288 4016af-4016b3 286->288 287->286 289 40164c-401668 NtMapViewOfSection 287->289 288->272 291 4016b9-4016da NtMapViewOfSection 288->291 289->286 293 40166a-401680 289->293 291->272 294 4016e0-4016fc NtMapViewOfSection 291->294 293->286 294->272 296 401702 call 401707 294->296
                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                      • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                      • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                      • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                      Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 300 401579-401590 call 4011b7 306 401592 300->306 307 401595-40159a 300->307 306->307 309 4015a0-4015b1 307->309 310 4018b8-4018c0 307->310 314 4018b6-4018c5 309->314 315 4015b7-4015e0 309->315 310->307 318 4018da 314->318 319 4018cb-4018d6 314->319 315->314 323 4015e6-4015fd NtDuplicateObject 315->323 318->319 320 4018dd-401915 call 4011b7 318->320 319->320 323->314 326 401603-401627 NtCreateSection 323->326 328 401683-4016a9 NtCreateSection 326->328 329 401629-40164a NtMapViewOfSection 326->329 328->314 330 4016af-4016b3 328->330 329->328 331 40164c-401668 NtMapViewOfSection 329->331 330->314 333 4016b9-4016da NtMapViewOfSection 330->333 331->328 335 40166a-401680 331->335 333->314 336 4016e0-4016fc NtMapViewOfSection 333->336 335->328 336->314 338 401702 call 401707 336->338
                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                      • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                      • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                      • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                      Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 342 40157c-401590 call 4011b7 346 401592 342->346 347 401595-40159a 342->347 346->347 349 4015a0-4015b1 347->349 350 4018b8-4018c0 347->350 354 4018b6-4018c5 349->354 355 4015b7-4015e0 349->355 350->347 358 4018da 354->358 359 4018cb-4018d6 354->359 355->354 363 4015e6-4015fd NtDuplicateObject 355->363 358->359 360 4018dd-401915 call 4011b7 358->360 359->360 363->354 366 401603-401627 NtCreateSection 363->366 368 401683-4016a9 NtCreateSection 366->368 369 401629-40164a NtMapViewOfSection 366->369 368->354 370 4016af-4016b3 368->370 369->368 371 40164c-401668 NtMapViewOfSection 369->371 370->354 373 4016b9-4016da NtMapViewOfSection 370->373 371->368 375 40166a-401680 371->375 373->354 376 4016e0-4016fc NtMapViewOfSection 373->376 375->368 376->354 378 401702 call 401707 376->378
                      APIs
                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$View$Create$DuplicateObject
                      • String ID:
                      • API String ID: 1546783058-0
                      • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                      • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                      • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                      • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                      Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 382 402fe9-40300d 383 403140-403145 382->383 384 403013-40302b 382->384 384->383 385 403031-403042 384->385 386 403044-40304d 385->386 387 403052-403060 386->387 387->387 388 403062-403069 387->388 389 40308b-403092 388->389 390 40306b-40308a 388->390 391 4030b4-4030b7 389->391 392 403094-4030b3 389->392 390->389 393 4030c0 391->393 394 4030b9-4030bc 391->394 392->391 393->386 396 4030c2-4030c7 393->396 394->393 395 4030be 394->395 395->396 396->383 397 4030c9-4030cc 396->397 397->383 398 4030ce-40313d RtlCreateUserThread NtTerminateProcess 397->398 398->383
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: CreateProcessTerminateThreadUser
                      • String ID:
                      • API String ID: 1921587553-0
                      • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                      • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                      • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                      • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                      Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 491 401918-401943 496 401946-40197b call 4011b7 Sleep call 40143e 491->496 497 40193a-40193f 491->497 505 40198a-4019d3 call 4011b7 496->505 506 40197d-401985 call 401538 496->506 497->496 506->505
                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 00401966
                        • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                        • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                        • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                      • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                      • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                      • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                      Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 520 401924-401943 524 401946-40197b call 4011b7 Sleep call 40143e 520->524 525 40193a-40193f 520->525 533 40198a-4019d3 call 4011b7 524->533 534 40197d-401985 call 401538 524->534 525->524 534->533
                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 00401966
                        • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                        • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                        • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                      • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                      • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                      • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                      Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 548 401941-40197b call 4011b7 Sleep call 40143e 557 40198a-4019d3 call 4011b7 548->557 558 40197d-401985 call 401538 548->558 558->557
                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 00401966
                        • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                        • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                        • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                      • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                      • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                      • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                      Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 572 401954-40197b call 4011b7 Sleep call 40143e 580 40198a-4019d3 call 4011b7 572->580 581 40197d-401985 call 401538 572->581 581->580
                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 00401966
                        • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                        • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                        • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                      • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                      • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                      • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                      Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 595 40194c-40197b call 4011b7 Sleep call 40143e 602 40198a-4019d3 call 4011b7 595->602 603 40197d-401985 call 401538 595->603 603->602
                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 00401966
                        • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                        • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                        • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                      Memory Dump Source
                      • Source File: 00000000.00000002.1691577546.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1691561440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691592921.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1691607659.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.jbxd
                      Similarity
                      • API ID: Section$CreateDuplicateObjectSleepView
                      • String ID:
                      • API String ID: 1885482327-0
                      • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                      • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                      • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                      • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

                      Execution Graph

                      Execution Coverage:18.2%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:19.5%
                      Total number of Nodes:1453
                      Total number of Limit Nodes:32
                      execution_graph 4021 401ec5 4022 402c17 17 API calls 4021->4022 4023 401ecb 4022->4023 4024 402c17 17 API calls 4023->4024 4025 401ed7 4024->4025 4026 401ee3 ShowWindow 4025->4026 4027 401eee EnableWindow 4025->4027 4028 402ac5 4026->4028 4027->4028 3366 401746 3367 402c39 17 API calls 3366->3367 3368 40174d 3367->3368 3372 405f4a 3368->3372 3370 401754 3371 405f4a 2 API calls 3370->3371 3371->3370 3373 405f55 GetTickCount GetTempFileNameA 3372->3373 3374 405f82 3373->3374 3375 405f86 3373->3375 3374->3373 3374->3375 3375->3370 4029 401947 4030 402c39 17 API calls 4029->4030 4031 40194e lstrlenA 4030->4031 4032 402628 4031->4032 4036 401fcb 4037 402c39 17 API calls 4036->4037 4038 401fd2 4037->4038 4039 4066ff 2 API calls 4038->4039 4040 401fd8 4039->4040 4042 401fea 4040->4042 4043 4062e6 wsprintfA 4040->4043 4043->4042 3385 4034cc SetErrorMode GetVersionExA 3386 40351e GetVersionExA 3385->3386 3388 40355d 3385->3388 3387 40353a 3386->3387 3386->3388 3387->3388 3389 4035e1 3388->3389 3390 406794 5 API calls 3388->3390 3477 406726 GetSystemDirectoryA 3389->3477 3390->3389 3392 4035f7 lstrlenA 3392->3389 3393 403607 3392->3393 3480 406794 GetModuleHandleA 3393->3480 3396 406794 5 API calls 3397 403615 3396->3397 3398 406794 5 API calls 3397->3398 3399 403621 #17 OleInitialize SHGetFileInfoA 3398->3399 3486 406388 lstrcpynA 3399->3486 3402 40366f GetCommandLineA 3487 406388 lstrcpynA 3402->3487 3404 403681 3405 405d45 CharNextA 3404->3405 3406 4036a8 CharNextA 3405->3406 3412 4036b7 3406->3412 3407 40377d 3408 403791 GetTempPathA 3407->3408 3488 40349b 3408->3488 3410 4037a9 3413 403803 DeleteFileA 3410->3413 3414 4037ad GetWindowsDirectoryA lstrcatA 3410->3414 3411 405d45 CharNextA 3411->3412 3412->3407 3412->3411 3418 40377f 3412->3418 3498 402f5c GetTickCount GetModuleFileNameA 3413->3498 3415 40349b 12 API calls 3414->3415 3417 4037c9 3415->3417 3417->3413 3420 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3417->3420 3585 406388 lstrcpynA 3418->3585 3419 403816 3421 4038ae ExitProcess OleUninitialize 3419->3421 3424 40389b 3419->3424 3431 405d45 CharNextA 3419->3431 3423 40349b 12 API calls 3420->3423 3425 4038c5 3421->3425 3426 4039e8 3421->3426 3429 4037fb 3423->3429 3528 403b6e 3424->3528 3602 405a9e 3425->3602 3427 4039f0 GetCurrentProcess OpenProcessToken 3426->3427 3428 403a66 ExitProcess 3426->3428 3433 403a36 3427->3433 3434 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3427->3434 3429->3413 3429->3421 3436 403830 3431->3436 3439 406794 5 API calls 3433->3439 3434->3433 3440 403875 3436->3440 3441 4038da 3436->3441 3442 403a3d 3439->3442 3586 405e08 3440->3586 3606 405a09 3441->3606 3445 403a52 ExitWindowsEx 3442->3445 3448 403a5f 3442->3448 3445->3428 3445->3448 3626 40140b 3448->3626 3449 4038f0 lstrcatA 3450 4038fb lstrcatA lstrcmpiA 3449->3450 3450->3421 3452 403917 3450->3452 3454 403923 3452->3454 3455 40391c 3452->3455 3614 4059ec CreateDirectoryA 3454->3614 3609 40596f CreateDirectoryA 3455->3609 3456 403890 3601 406388 lstrcpynA 3456->3601 3461 403928 SetCurrentDirectoryA 3462 403943 3461->3462 3463 403938 3461->3463 3618 406388 lstrcpynA 3462->3618 3617 406388 lstrcpynA 3463->3617 3466 40641b 17 API calls 3467 403985 DeleteFileA 3466->3467 3468 403993 CopyFileA 3467->3468 3474 403950 3467->3474 3468->3474 3469 4039dc 3471 406161 36 API calls 3469->3471 3472 4039e3 3471->3472 3472->3421 3473 40641b 17 API calls 3473->3474 3474->3466 3474->3469 3474->3473 3476 4039c7 CloseHandle 3474->3476 3619 406161 MoveFileExA 3474->3619 3623 405a21 CreateProcessA 3474->3623 3476->3474 3478 406748 wsprintfA LoadLibraryExA 3477->3478 3478->3392 3481 4067b0 3480->3481 3482 4067ba GetProcAddress 3480->3482 3483 406726 3 API calls 3481->3483 3484 40360e 3482->3484 3485 4067b6 3483->3485 3484->3396 3485->3482 3485->3484 3486->3402 3487->3404 3489 406666 5 API calls 3488->3489 3491 4034a7 3489->3491 3490 4034b1 3490->3410 3491->3490 3629 405d1a lstrlenA CharPrevA 3491->3629 3494 4059ec 2 API calls 3495 4034bf 3494->3495 3496 405f4a 2 API calls 3495->3496 3497 4034ca 3496->3497 3497->3410 3632 405f1b GetFileAttributesA CreateFileA 3498->3632 3500 402f9f 3527 402fac 3500->3527 3633 406388 lstrcpynA 3500->3633 3502 402fc2 3634 405d61 lstrlenA 3502->3634 3506 402fd3 GetFileSize 3507 4030cd 3506->3507 3526 402fea 3506->3526 3639 402ebd 3507->3639 3511 403112 GlobalAlloc 3513 403129 3511->3513 3512 40316a 3516 402ebd 32 API calls 3512->3516 3518 405f4a 2 API calls 3513->3518 3515 4030f3 3517 40346e ReadFile 3515->3517 3516->3527 3519 4030fe 3517->3519 3521 40313a CreateFileA 3518->3521 3519->3511 3519->3527 3520 402ebd 32 API calls 3520->3526 3522 403174 3521->3522 3521->3527 3654 403484 SetFilePointer 3522->3654 3524 403182 3655 4031fd 3524->3655 3526->3507 3526->3512 3526->3520 3526->3527 3670 40346e 3526->3670 3527->3419 3529 406794 5 API calls 3528->3529 3530 403b82 3529->3530 3531 403b88 3530->3531 3532 403b9a 3530->3532 3714 4062e6 wsprintfA 3531->3714 3533 40626f 3 API calls 3532->3533 3534 403bc5 3533->3534 3535 403be3 lstrcatA 3534->3535 3538 40626f 3 API calls 3534->3538 3537 403b98 3535->3537 3706 403e33 3537->3706 3538->3535 3541 405e08 18 API calls 3542 403c15 3541->3542 3543 403c9e 3542->3543 3545 40626f 3 API calls 3542->3545 3544 405e08 18 API calls 3543->3544 3547 403ca4 3544->3547 3548 403c41 3545->3548 3546 403cb4 LoadImageA 3550 403d5a 3546->3550 3551 403cdb RegisterClassA 3546->3551 3547->3546 3549 40641b 17 API calls 3547->3549 3548->3543 3552 403c5d lstrlenA 3548->3552 3555 405d45 CharNextA 3548->3555 3549->3546 3554 40140b 2 API calls 3550->3554 3553 403d11 SystemParametersInfoA CreateWindowExA 3551->3553 3584 4038ab 3551->3584 3556 403c91 3552->3556 3557 403c6b lstrcmpiA 3552->3557 3553->3550 3558 403d60 3554->3558 3559 403c5b 3555->3559 3561 405d1a 3 API calls 3556->3561 3557->3556 3560 403c7b GetFileAttributesA 3557->3560 3563 403e33 18 API calls 3558->3563 3558->3584 3559->3552 3562 403c87 3560->3562 3564 403c97 3561->3564 3562->3556 3565 405d61 2 API calls 3562->3565 3566 403d71 3563->3566 3715 406388 lstrcpynA 3564->3715 3565->3556 3568 403e00 3566->3568 3569 403d7d ShowWindow 3566->3569 3716 40557b OleInitialize 3568->3716 3571 406726 3 API calls 3569->3571 3573 403d95 3571->3573 3572 403e06 3575 403e22 3572->3575 3576 403e0a 3572->3576 3574 403da3 GetClassInfoA 3573->3574 3577 406726 3 API calls 3573->3577 3579 403db7 GetClassInfoA RegisterClassA 3574->3579 3580 403dcd DialogBoxParamA 3574->3580 3578 40140b 2 API calls 3575->3578 3582 40140b 2 API calls 3576->3582 3576->3584 3577->3574 3578->3584 3579->3580 3581 40140b 2 API calls 3580->3581 3583 403df5 3581->3583 3582->3584 3583->3584 3584->3421 3585->3408 3734 406388 lstrcpynA 3586->3734 3588 405e19 3735 405db3 CharNextA CharNextA 3588->3735 3591 403881 3591->3421 3600 406388 lstrcpynA 3591->3600 3592 406666 5 API calls 3598 405e2f 3592->3598 3593 405e5a lstrlenA 3594 405e65 3593->3594 3593->3598 3595 405d1a 3 API calls 3594->3595 3597 405e6a GetFileAttributesA 3595->3597 3597->3591 3598->3591 3598->3593 3599 405d61 2 API calls 3598->3599 3741 4066ff FindFirstFileA 3598->3741 3599->3593 3600->3456 3601->3424 3603 405ab3 3602->3603 3604 4038d2 ExitProcess 3603->3604 3605 405ac7 MessageBoxIndirectA 3603->3605 3605->3604 3607 406794 5 API calls 3606->3607 3608 4038df lstrcatA 3607->3608 3608->3449 3608->3450 3610 4059c0 GetLastError 3609->3610 3611 403921 3609->3611 3610->3611 3612 4059cf SetFileSecurityA 3610->3612 3611->3461 3612->3611 3613 4059e5 GetLastError 3612->3613 3613->3611 3615 405a00 GetLastError 3614->3615 3616 4059fc 3614->3616 3615->3616 3616->3461 3617->3462 3618->3474 3620 406182 3619->3620 3621 406175 3619->3621 3620->3474 3744 405ff1 3621->3744 3624 405a60 3623->3624 3625 405a54 CloseHandle 3623->3625 3624->3474 3625->3624 3627 401389 2 API calls 3626->3627 3628 401420 3627->3628 3628->3428 3630 405d34 lstrcatA 3629->3630 3631 4034b9 3629->3631 3630->3631 3631->3494 3632->3500 3633->3502 3635 405d6e 3634->3635 3636 405d73 CharPrevA 3635->3636 3637 402fc8 3635->3637 3636->3635 3636->3637 3638 406388 lstrcpynA 3637->3638 3638->3506 3640 402ee3 3639->3640 3641 402ecb 3639->3641 3644 402ef3 GetTickCount 3640->3644 3645 402eeb 3640->3645 3642 402ed4 DestroyWindow 3641->3642 3643 402edb 3641->3643 3642->3643 3643->3511 3643->3527 3673 403484 SetFilePointer 3643->3673 3644->3643 3647 402f01 3644->3647 3674 4067d0 3645->3674 3648 402f36 CreateDialogParamA ShowWindow 3647->3648 3649 402f09 3647->3649 3648->3643 3649->3643 3678 402ea1 3649->3678 3651 402f17 wsprintfA 3652 4054a9 24 API calls 3651->3652 3653 402f34 3652->3653 3653->3643 3654->3524 3656 403228 3655->3656 3657 40320c SetFilePointer 3655->3657 3681 403305 GetTickCount 3656->3681 3657->3656 3662 403305 42 API calls 3663 40325f 3662->3663 3664 4032c5 3663->3664 3665 4032cb ReadFile 3663->3665 3666 40326e 3663->3666 3664->3527 3665->3664 3666->3664 3668 405f93 ReadFile 3666->3668 3696 405fc2 WriteFile 3666->3696 3668->3666 3671 405f93 ReadFile 3670->3671 3672 403481 3671->3672 3672->3526 3673->3515 3675 4067ed PeekMessageA 3674->3675 3676 4067e3 DispatchMessageA 3675->3676 3677 4067fd 3675->3677 3676->3675 3677->3643 3679 402eb0 3678->3679 3680 402eb2 MulDiv 3678->3680 3679->3680 3680->3651 3682 403333 3681->3682 3683 40345d 3681->3683 3698 403484 SetFilePointer 3682->3698 3684 402ebd 32 API calls 3683->3684 3690 40322f 3684->3690 3686 40333e SetFilePointer 3691 403363 3686->3691 3687 40346e ReadFile 3687->3691 3689 402ebd 32 API calls 3689->3691 3690->3664 3694 405f93 ReadFile 3690->3694 3691->3687 3691->3689 3691->3690 3692 405fc2 WriteFile 3691->3692 3693 40343e SetFilePointer 3691->3693 3699 4068d9 3691->3699 3692->3691 3693->3683 3695 403248 3694->3695 3695->3662 3695->3664 3697 405fe0 3696->3697 3697->3666 3698->3686 3700 4068fe 3699->3700 3705 406906 3699->3705 3700->3691 3701 406996 GlobalAlloc 3701->3700 3701->3705 3702 40698d GlobalFree 3702->3701 3703 406a04 GlobalFree 3704 406a0d GlobalAlloc 3703->3704 3704->3700 3704->3705 3705->3700 3705->3701 3705->3702 3705->3703 3705->3704 3707 403e47 3706->3707 3723 4062e6 wsprintfA 3707->3723 3709 403eb8 3724 403eec 3709->3724 3711 403bf3 3711->3541 3712 403ebd 3712->3711 3713 40641b 17 API calls 3712->3713 3713->3712 3714->3537 3715->3543 3727 404451 3716->3727 3718 40559e 3722 4055c5 3718->3722 3730 401389 3718->3730 3719 404451 SendMessageA 3720 4055d7 OleUninitialize 3719->3720 3720->3572 3722->3719 3723->3709 3725 40641b 17 API calls 3724->3725 3726 403efa SetWindowTextA 3725->3726 3726->3712 3728 404469 3727->3728 3729 40445a SendMessageA 3727->3729 3728->3718 3729->3728 3732 401390 3730->3732 3731 4013fe 3731->3718 3732->3731 3733 4013cb MulDiv SendMessageA 3732->3733 3733->3732 3734->3588 3736 405dde 3735->3736 3737 405dce 3735->3737 3739 405d45 CharNextA 3736->3739 3740 405dfe 3736->3740 3737->3736 3738 405dd9 CharNextA 3737->3738 3738->3740 3739->3736 3740->3591 3740->3592 3742 406715 FindClose 3741->3742 3743 406720 3741->3743 3742->3743 3743->3598 3745 406017 3744->3745 3746 40603d GetShortPathNameA 3744->3746 3771 405f1b GetFileAttributesA CreateFileA 3745->3771 3748 406052 3746->3748 3749 40615c 3746->3749 3748->3749 3751 40605a wsprintfA 3748->3751 3749->3620 3750 406021 CloseHandle GetShortPathNameA 3750->3749 3753 406035 3750->3753 3752 40641b 17 API calls 3751->3752 3754 406082 3752->3754 3753->3746 3753->3749 3772 405f1b GetFileAttributesA CreateFileA 3754->3772 3756 40608f 3756->3749 3757 40609e GetFileSize GlobalAlloc 3756->3757 3758 4060c0 3757->3758 3759 406155 CloseHandle 3757->3759 3760 405f93 ReadFile 3758->3760 3759->3749 3761 4060c8 3760->3761 3761->3759 3773 405e80 lstrlenA 3761->3773 3764 4060f3 3766 405e80 4 API calls 3764->3766 3765 4060df lstrcpyA 3767 406101 3765->3767 3766->3767 3768 406138 SetFilePointer 3767->3768 3769 405fc2 WriteFile 3768->3769 3770 40614e GlobalFree 3769->3770 3770->3759 3771->3750 3772->3756 3774 405ec1 lstrlenA 3773->3774 3775 405ec9 3774->3775 3776 405e9a lstrcmpiA 3774->3776 3775->3764 3775->3765 3776->3775 3777 405eb8 CharNextA 3776->3777 3777->3774 4044 404850 4045 404860 4044->4045 4046 404886 4044->4046 4051 404405 4045->4051 4054 40446c 4046->4054 4049 40486d SetDlgItemTextA 4049->4046 4052 40641b 17 API calls 4051->4052 4053 404410 SetDlgItemTextA 4052->4053 4053->4049 4055 40452f 4054->4055 4056 404484 GetWindowLongA 4054->4056 4056->4055 4057 404499 4056->4057 4057->4055 4058 4044c6 GetSysColor 4057->4058 4059 4044c9 4057->4059 4058->4059 4060 4044d9 SetBkMode 4059->4060 4061 4044cf SetTextColor 4059->4061 4062 4044f1 GetSysColor 4060->4062 4063 4044f7 4060->4063 4061->4060 4062->4063 4064 4044fe SetBkColor 4063->4064 4065 404508 4063->4065 4064->4065 4065->4055 4066 404522 CreateBrushIndirect 4065->4066 4067 40451b DeleteObject 4065->4067 4066->4055 4067->4066 4075 4014d6 4076 402c17 17 API calls 4075->4076 4077 4014dc Sleep 4076->4077 4079 402ac5 4077->4079 3873 401759 3874 402c39 17 API calls 3873->3874 3875 401760 3874->3875 3876 401786 3875->3876 3877 40177e 3875->3877 3913 406388 lstrcpynA 3876->3913 3912 406388 lstrcpynA 3877->3912 3880 401784 3884 406666 5 API calls 3880->3884 3881 401791 3882 405d1a 3 API calls 3881->3882 3883 401797 lstrcatA 3882->3883 3883->3880 3899 4017a3 3884->3899 3885 4066ff 2 API calls 3885->3899 3886 405ef6 2 API calls 3886->3899 3888 4017ba CompareFileTime 3888->3899 3889 40187e 3890 4054a9 24 API calls 3889->3890 3892 401888 3890->3892 3891 401855 3893 4054a9 24 API calls 3891->3893 3900 40186a 3891->3900 3894 4031fd 44 API calls 3892->3894 3893->3900 3895 40189b 3894->3895 3896 4018af SetFileTime 3895->3896 3898 4018c1 FindCloseChangeNotification 3895->3898 3896->3898 3897 40641b 17 API calls 3897->3899 3898->3900 3901 4018d2 3898->3901 3899->3885 3899->3886 3899->3888 3899->3889 3899->3891 3899->3897 3902 406388 lstrcpynA 3899->3902 3907 405a9e MessageBoxIndirectA 3899->3907 3911 405f1b GetFileAttributesA CreateFileA 3899->3911 3903 4018d7 3901->3903 3904 4018ea 3901->3904 3902->3899 3905 40641b 17 API calls 3903->3905 3906 40641b 17 API calls 3904->3906 3908 4018df lstrcatA 3905->3908 3909 4018f2 3906->3909 3907->3899 3908->3909 3910 405a9e MessageBoxIndirectA 3909->3910 3910->3900 3911->3899 3912->3880 3913->3881 4080 401659 4081 402c39 17 API calls 4080->4081 4082 40165f 4081->4082 4083 4066ff 2 API calls 4082->4083 4084 401665 4083->4084 4085 401959 4086 402c17 17 API calls 4085->4086 4087 401960 4086->4087 4088 402c17 17 API calls 4087->4088 4089 40196d 4088->4089 4090 402c39 17 API calls 4089->4090 4091 401984 lstrlenA 4090->4091 4093 401994 4091->4093 4092 4019d4 4093->4092 4097 406388 lstrcpynA 4093->4097 4095 4019c4 4095->4092 4096 4019c9 lstrlenA 4095->4096 4096->4092 4097->4095 4098 401a5e 4099 402c17 17 API calls 4098->4099 4100 401a67 4099->4100 4101 402c17 17 API calls 4100->4101 4102 401a0e 4101->4102 4103 401563 4104 402a42 4103->4104 4107 4062e6 wsprintfA 4104->4107 4106 402a47 4107->4106 4108 401b63 4109 402c39 17 API calls 4108->4109 4110 401b6a 4109->4110 4111 402c17 17 API calls 4110->4111 4112 401b73 wsprintfA 4111->4112 4113 402ac5 4112->4113 4114 100013a4 4121 10001426 4114->4121 4122 100013d0 4121->4122 4124 1000142f 4121->4124 4126 100010d0 GetVersionExA 4122->4126 4123 1000145f GlobalFree 4123->4122 4124->4122 4124->4123 4125 1000144b lstrcpynA 4124->4125 4125->4123 4127 10001106 4126->4127 4142 100010fc 4126->4142 4128 10001122 LoadLibraryW 4127->4128 4129 1000110e 4127->4129 4131 1000113b GetProcAddress 4128->4131 4141 100011a5 4128->4141 4130 10001225 LoadLibraryA 4129->4130 4129->4142 4133 1000123d GetProcAddress GetProcAddress GetProcAddress 4130->4133 4130->4142 4132 1000114e LocalAlloc 4131->4132 4138 1000118e 4131->4138 4134 10001189 4132->4134 4136 10001323 FreeLibrary 4133->4136 4150 1000126b 4133->4150 4137 1000115c NtQuerySystemInformation 4134->4137 4134->4138 4135 1000119a FreeLibrary 4135->4141 4136->4142 4137->4135 4139 1000116f LocalFree 4137->4139 4138->4135 4139->4138 4143 10001180 LocalAlloc 4139->4143 4140 100011c1 WideCharToMultiByte lstrcmpiA 4140->4141 4141->4140 4141->4142 4144 10001217 LocalFree 4141->4144 4145 100011f7 4141->4145 4152 100014ba wsprintfA 4142->4152 4143->4134 4144->4142 4145->4141 4146 1000103f 8 API calls 4145->4146 4146->4145 4147 100012a2 lstrlenA 4147->4150 4148 1000131c CloseHandle 4148->4136 4149 100012c4 lstrcpynA lstrcmpiA 4149->4150 4150->4136 4150->4147 4150->4148 4150->4149 4151 1000103f 8 API calls 4150->4151 4151->4150 4155 10001475 4152->4155 4156 100013e3 4155->4156 4157 1000147e GlobalAlloc lstrcpynA 4155->4157 4157->4156 4158 401d65 4159 401d78 GetDlgItem 4158->4159 4160 401d6b 4158->4160 4161 401d72 4159->4161 4162 402c17 17 API calls 4160->4162 4163 401db9 GetClientRect LoadImageA SendMessageA 4161->4163 4164 402c39 17 API calls 4161->4164 4162->4161 4166 401e26 4163->4166 4167 401e1a 4163->4167 4164->4163 4167->4166 4168 401e1f DeleteObject 4167->4168 4168->4166 3376 10001426 3377 1000146f 3376->3377 3379 1000142f 3376->3379 3378 1000145f GlobalFree 3378->3377 3379->3377 3379->3378 3380 1000144b lstrcpynA 3379->3380 3380->3378 4169 402766 4170 40276c 4169->4170 4171 402774 FindClose 4170->4171 4172 402ac5 4170->4172 4171->4172 4173 4055e7 4174 405792 4173->4174 4175 405609 GetDlgItem GetDlgItem GetDlgItem 4173->4175 4177 40579a GetDlgItem CreateThread CloseHandle 4174->4177 4180 4057c2 4174->4180 4218 40443a SendMessageA 4175->4218 4177->4180 4178 405679 4184 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4178->4184 4179 4057f0 4183 40584b 4179->4183 4186 405800 4179->4186 4187 405824 ShowWindow 4179->4187 4180->4179 4181 405811 4180->4181 4182 4057d8 ShowWindow ShowWindow 4180->4182 4188 40446c 8 API calls 4181->4188 4220 40443a SendMessageA 4182->4220 4183->4181 4193 405858 SendMessageA 4183->4193 4191 4056d2 SendMessageA SendMessageA 4184->4191 4192 4056ee 4184->4192 4221 4043de 4186->4221 4189 405844 4187->4189 4190 405836 4187->4190 4195 40581d 4188->4195 4197 4043de SendMessageA 4189->4197 4196 4054a9 24 API calls 4190->4196 4191->4192 4198 405701 4192->4198 4199 4056f3 SendMessageA 4192->4199 4193->4195 4200 405871 CreatePopupMenu 4193->4200 4196->4189 4197->4183 4202 404405 18 API calls 4198->4202 4199->4198 4201 40641b 17 API calls 4200->4201 4203 405881 AppendMenuA 4201->4203 4204 405711 4202->4204 4205 4058b2 TrackPopupMenu 4203->4205 4206 40589f GetWindowRect 4203->4206 4207 40571a ShowWindow 4204->4207 4208 40574e GetDlgItem SendMessageA 4204->4208 4205->4195 4210 4058ce 4205->4210 4206->4205 4211 405730 ShowWindow 4207->4211 4212 40573d 4207->4212 4208->4195 4209 405775 SendMessageA SendMessageA 4208->4209 4209->4195 4213 4058ed SendMessageA 4210->4213 4211->4212 4219 40443a SendMessageA 4212->4219 4213->4213 4214 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4213->4214 4216 40592c SendMessageA 4214->4216 4216->4216 4217 40594e GlobalUnlock SetClipboardData CloseClipboard 4216->4217 4217->4195 4218->4178 4219->4208 4220->4179 4222 4043e5 4221->4222 4223 4043eb SendMessageA 4221->4223 4222->4223 4223->4181 4224 404be8 4225 404c14 4224->4225 4226 404bf8 4224->4226 4228 404c47 4225->4228 4229 404c1a SHGetPathFromIDListA 4225->4229 4235 405a82 GetDlgItemTextA 4226->4235 4231 404c31 SendMessageA 4229->4231 4232 404c2a 4229->4232 4230 404c05 SendMessageA 4230->4225 4231->4228 4233 40140b 2 API calls 4232->4233 4233->4231 4235->4230 4236 4023e8 4237 402c39 17 API calls 4236->4237 4238 4023f9 4237->4238 4239 402c39 17 API calls 4238->4239 4240 402402 4239->4240 4241 402c39 17 API calls 4240->4241 4242 40240c GetPrivateProfileStringA 4241->4242 4243 4027e8 4244 402c39 17 API calls 4243->4244 4245 4027f4 4244->4245 4246 40280a 4245->4246 4247 402c39 17 API calls 4245->4247 4248 405ef6 2 API calls 4246->4248 4247->4246 4249 402810 4248->4249 4271 405f1b GetFileAttributesA CreateFileA 4249->4271 4251 40281d 4252 4028d9 4251->4252 4253 4028c1 4251->4253 4254 402838 GlobalAlloc 4251->4254 4255 4028e0 DeleteFileA 4252->4255 4256 4028f3 4252->4256 4258 4031fd 44 API calls 4253->4258 4254->4253 4257 402851 4254->4257 4255->4256 4272 403484 SetFilePointer 4257->4272 4260 4028ce CloseHandle 4258->4260 4260->4252 4261 402857 4262 40346e ReadFile 4261->4262 4263 402860 GlobalAlloc 4262->4263 4264 402870 4263->4264 4265 4028aa 4263->4265 4267 4031fd 44 API calls 4264->4267 4266 405fc2 WriteFile 4265->4266 4268 4028b6 GlobalFree 4266->4268 4270 40287d 4267->4270 4268->4253 4269 4028a1 GlobalFree 4269->4265 4270->4269 4271->4251 4272->4261 4273 40166a 4274 402c39 17 API calls 4273->4274 4275 401671 4274->4275 4276 402c39 17 API calls 4275->4276 4277 40167a 4276->4277 4278 402c39 17 API calls 4277->4278 4279 401683 MoveFileA 4278->4279 4280 401696 4279->4280 4286 40168f 4279->4286 4282 4066ff 2 API calls 4280->4282 4284 4022ea 4280->4284 4281 401423 24 API calls 4281->4284 4283 4016a5 4282->4283 4283->4284 4285 406161 36 API calls 4283->4285 4285->4286 4286->4281 4294 4019ed 4295 402c39 17 API calls 4294->4295 4296 4019f4 4295->4296 4297 402c39 17 API calls 4296->4297 4298 4019fd 4297->4298 4299 401a04 lstrcmpiA 4298->4299 4300 401a16 lstrcmpA 4298->4300 4301 401a0a 4299->4301 4300->4301 4302 40156f 4303 401586 4302->4303 4304 40157f ShowWindow 4302->4304 4305 401594 ShowWindow 4303->4305 4306 402ac5 4303->4306 4304->4303 4305->4306 4307 404570 4308 404586 4307->4308 4313 404692 4307->4313 4311 404405 18 API calls 4308->4311 4309 404701 4310 4047cb 4309->4310 4312 40470b GetDlgItem 4309->4312 4319 40446c 8 API calls 4310->4319 4314 4045dc 4311->4314 4315 404721 4312->4315 4316 404789 4312->4316 4313->4309 4313->4310 4317 4046d6 GetDlgItem SendMessageA 4313->4317 4318 404405 18 API calls 4314->4318 4315->4316 4320 404747 SendMessageA LoadCursorA SetCursor 4315->4320 4316->4310 4321 40479b 4316->4321 4340 404427 EnableWindow 4317->4340 4323 4045e9 CheckDlgButton 4318->4323 4324 4047c6 4319->4324 4344 404814 4320->4344 4326 4047a1 SendMessageA 4321->4326 4327 4047b2 4321->4327 4338 404427 EnableWindow 4323->4338 4326->4327 4327->4324 4331 4047b8 SendMessageA 4327->4331 4328 4046fc 4341 4047f0 4328->4341 4331->4324 4333 404607 GetDlgItem 4339 40443a SendMessageA 4333->4339 4335 40461d SendMessageA 4336 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4335->4336 4337 40463b GetSysColor 4335->4337 4336->4324 4337->4336 4338->4333 4339->4335 4340->4328 4342 404803 SendMessageA 4341->4342 4343 4047fe 4341->4343 4342->4309 4343->4342 4347 405a64 ShellExecuteExA 4344->4347 4346 40477a LoadCursorA SetCursor 4346->4316 4347->4346 4348 402173 4349 402c39 17 API calls 4348->4349 4350 40217a 4349->4350 4351 402c39 17 API calls 4350->4351 4352 402184 4351->4352 4353 402c39 17 API calls 4352->4353 4354 40218e 4353->4354 4355 402c39 17 API calls 4354->4355 4356 40219b 4355->4356 4357 402c39 17 API calls 4356->4357 4358 4021a5 4357->4358 4359 4021e7 CoCreateInstance 4358->4359 4360 402c39 17 API calls 4358->4360 4363 402206 4359->4363 4365 4022b4 4359->4365 4360->4359 4361 401423 24 API calls 4362 4022ea 4361->4362 4364 402294 MultiByteToWideChar 4363->4364 4363->4365 4364->4365 4365->4361 4365->4362 4366 4022f3 4367 402c39 17 API calls 4366->4367 4368 4022f9 4367->4368 4369 402c39 17 API calls 4368->4369 4370 402302 4369->4370 4371 402c39 17 API calls 4370->4371 4372 40230b 4371->4372 4373 4066ff 2 API calls 4372->4373 4374 402314 4373->4374 4375 402325 lstrlenA lstrlenA 4374->4375 4376 402318 4374->4376 4378 4054a9 24 API calls 4375->4378 4377 4054a9 24 API calls 4376->4377 4379 402320 4376->4379 4377->4379 4380 402361 SHFileOperationA 4378->4380 4380->4376 4380->4379 4381 4014f4 SetForegroundWindow 4382 402ac5 4381->4382 4383 402375 4384 40237c 4383->4384 4388 40238f 4383->4388 4385 40641b 17 API calls 4384->4385 4386 402389 4385->4386 4387 405a9e MessageBoxIndirectA 4386->4387 4387->4388 4389 402675 4390 402c17 17 API calls 4389->4390 4391 40267f 4390->4391 4392 405f93 ReadFile 4391->4392 4393 4026ef 4391->4393 4396 4026ff 4391->4396 4397 4026ed 4391->4397 4392->4391 4398 4062e6 wsprintfA 4393->4398 4395 402715 SetFilePointer 4395->4397 4396->4395 4396->4397 4398->4397 4399 4029f6 4400 402a49 4399->4400 4401 4029fd 4399->4401 4402 406794 5 API calls 4400->4402 4403 402c17 17 API calls 4401->4403 4409 402a47 4401->4409 4404 402a50 4402->4404 4405 402a0b 4403->4405 4406 402c39 17 API calls 4404->4406 4407 402c17 17 API calls 4405->4407 4408 402a59 4406->4408 4411 402a1a 4407->4411 4408->4409 4417 4063db 4408->4417 4416 4062e6 wsprintfA 4411->4416 4413 402a67 4413->4409 4421 4063c5 4413->4421 4416->4409 4419 4063e6 4417->4419 4418 406409 IIDFromString 4418->4413 4419->4418 4420 406402 4419->4420 4420->4413 4424 4063aa WideCharToMultiByte 4421->4424 4423 402a88 CoTaskMemFree 4423->4409 4424->4423 4425 401ef9 4426 402c39 17 API calls 4425->4426 4427 401eff 4426->4427 4428 402c39 17 API calls 4427->4428 4429 401f08 4428->4429 4430 402c39 17 API calls 4429->4430 4431 401f11 4430->4431 4432 402c39 17 API calls 4431->4432 4433 401f1a 4432->4433 4434 401423 24 API calls 4433->4434 4435 401f21 4434->4435 4442 405a64 ShellExecuteExA 4435->4442 4437 401f5c 4438 406809 5 API calls 4437->4438 4439 4027c8 4437->4439 4440 401f76 CloseHandle 4438->4440 4440->4439 4442->4437 3914 401f7b 3915 402c39 17 API calls 3914->3915 3916 401f81 3915->3916 3917 4054a9 24 API calls 3916->3917 3918 401f8b 3917->3918 3919 405a21 2 API calls 3918->3919 3920 401f91 3919->3920 3923 4027c8 3920->3923 3928 401fb2 CloseHandle 3920->3928 3929 406809 WaitForSingleObject 3920->3929 3924 401fa6 3925 401fb4 3924->3925 3926 401fab 3924->3926 3925->3928 3934 4062e6 wsprintfA 3926->3934 3928->3923 3930 406823 3929->3930 3931 406835 GetExitCodeProcess 3930->3931 3932 4067d0 2 API calls 3930->3932 3931->3924 3933 40682a WaitForSingleObject 3932->3933 3933->3930 3934->3928 4450 401ffb 4451 402c39 17 API calls 4450->4451 4452 402002 4451->4452 4453 406794 5 API calls 4452->4453 4454 402011 4453->4454 4455 402099 4454->4455 4456 402029 GlobalAlloc 4454->4456 4456->4455 4457 40203d 4456->4457 4458 406794 5 API calls 4457->4458 4459 402044 4458->4459 4460 406794 5 API calls 4459->4460 4461 40204e 4460->4461 4461->4455 4465 4062e6 wsprintfA 4461->4465 4463 402089 4466 4062e6 wsprintfA 4463->4466 4465->4463 4466->4455 3956 403a7c 3957 403a97 3956->3957 3958 403a8d CloseHandle 3956->3958 3959 403aa1 CloseHandle 3957->3959 3960 403aab 3957->3960 3958->3957 3959->3960 3965 403ad9 3960->3965 3963 405b4a 67 API calls 3964 403abc 3963->3964 3966 403ae7 3965->3966 3967 403ab0 3966->3967 3968 403aec FreeLibrary GlobalFree 3966->3968 3967->3963 3968->3967 3968->3968 4467 4018fd 4468 401934 4467->4468 4469 402c39 17 API calls 4468->4469 4470 401939 4469->4470 4471 405b4a 67 API calls 4470->4471 4472 401942 4471->4472 3969 40247e 3970 402c39 17 API calls 3969->3970 3971 402490 3970->3971 3972 402c39 17 API calls 3971->3972 3973 40249a 3972->3973 3986 402cc9 3973->3986 3976 402ac5 3977 4024cf 3979 4024db 3977->3979 3990 402c17 3977->3990 3978 402c39 17 API calls 3980 4024c8 lstrlenA 3978->3980 3982 4024fd RegSetValueExA 3979->3982 3983 4031fd 44 API calls 3979->3983 3980->3977 3984 402513 RegCloseKey 3982->3984 3983->3982 3984->3976 3987 402ce4 3986->3987 3993 40623c 3987->3993 3991 40641b 17 API calls 3990->3991 3992 402c2c 3991->3992 3992->3979 3994 40624b 3993->3994 3995 4024aa 3994->3995 3996 406256 RegCreateKeyExA 3994->3996 3995->3976 3995->3977 3995->3978 3996->3995 4473 401cfe 4474 402c17 17 API calls 4473->4474 4475 401d04 IsWindow 4474->4475 4476 401a0e 4475->4476 4477 401000 4478 401037 BeginPaint GetClientRect 4477->4478 4479 40100c DefWindowProcA 4477->4479 4481 4010f3 4478->4481 4482 401179 4479->4482 4483 401073 CreateBrushIndirect FillRect DeleteObject 4481->4483 4484 4010fc 4481->4484 4483->4481 4485 401102 CreateFontIndirectA 4484->4485 4486 401167 EndPaint 4484->4486 4485->4486 4487 401112 6 API calls 4485->4487 4486->4482 4487->4486 4488 401900 4489 402c39 17 API calls 4488->4489 4490 401907 4489->4490 4491 405a9e MessageBoxIndirectA 4490->4491 4492 401910 4491->4492 4493 402780 4494 402786 4493->4494 4495 40278a FindNextFileA 4494->4495 4496 40279c 4494->4496 4495->4496 4497 4027db 4495->4497 4499 406388 lstrcpynA 4497->4499 4499->4496 4500 401502 4501 40150a 4500->4501 4503 40151d 4500->4503 4502 402c17 17 API calls 4501->4502 4502->4503 4504 401b87 4505 401b94 4504->4505 4506 401bd8 4504->4506 4507 401c1c 4505->4507 4513 401bab 4505->4513 4508 401c01 GlobalAlloc 4506->4508 4509 401bdc 4506->4509 4511 40641b 17 API calls 4507->4511 4518 40238f 4507->4518 4510 40641b 17 API calls 4508->4510 4509->4518 4525 406388 lstrcpynA 4509->4525 4510->4507 4512 402389 4511->4512 4517 405a9e MessageBoxIndirectA 4512->4517 4523 406388 lstrcpynA 4513->4523 4516 401bee GlobalFree 4516->4518 4517->4518 4519 401bba 4524 406388 lstrcpynA 4519->4524 4521 401bc9 4526 406388 lstrcpynA 4521->4526 4523->4519 4524->4521 4525->4516 4526->4518 4527 406a88 4531 40690c 4527->4531 4528 407277 4529 406996 GlobalAlloc 4529->4528 4529->4531 4530 40698d GlobalFree 4530->4529 4531->4528 4531->4529 4531->4530 4532 406a04 GlobalFree 4531->4532 4533 406a0d GlobalAlloc 4531->4533 4532->4533 4533->4528 4533->4531 3381 401389 3383 401390 3381->3383 3382 4013fe 3383->3382 3384 4013cb MulDiv SendMessageA 3383->3384 3384->3383 4534 404e0a GetDlgItem GetDlgItem 4535 404e60 7 API calls 4534->4535 4542 405087 4534->4542 4536 404f08 DeleteObject 4535->4536 4537 404efc SendMessageA 4535->4537 4538 404f13 4536->4538 4537->4536 4540 404f4a 4538->4540 4543 40641b 17 API calls 4538->4543 4539 405169 4541 405215 4539->4541 4545 40507a 4539->4545 4551 4051c2 SendMessageA 4539->4551 4544 404405 18 API calls 4540->4544 4546 405227 4541->4546 4547 40521f SendMessageA 4541->4547 4542->4539 4566 4050f6 4542->4566 4588 404d58 SendMessageA 4542->4588 4548 404f2c SendMessageA SendMessageA 4543->4548 4549 404f5e 4544->4549 4553 40446c 8 API calls 4545->4553 4558 405240 4546->4558 4559 405239 ImageList_Destroy 4546->4559 4563 405250 4546->4563 4547->4546 4548->4538 4550 404405 18 API calls 4549->4550 4567 404f6f 4550->4567 4551->4545 4556 4051d7 SendMessageA 4551->4556 4552 40515b SendMessageA 4552->4539 4557 405416 4553->4557 4555 4053ca 4555->4545 4564 4053dc ShowWindow GetDlgItem ShowWindow 4555->4564 4561 4051ea 4556->4561 4562 405249 GlobalFree 4558->4562 4558->4563 4559->4558 4560 405049 GetWindowLongA SetWindowLongA 4565 405062 4560->4565 4573 4051fb SendMessageA 4561->4573 4562->4563 4563->4555 4568 40528b 4563->4568 4593 404dd8 4563->4593 4564->4545 4569 405067 ShowWindow 4565->4569 4570 40507f 4565->4570 4566->4539 4566->4552 4567->4560 4572 404fc1 SendMessageA 4567->4572 4574 405044 4567->4574 4576 405013 SendMessageA 4567->4576 4577 404fff SendMessageA 4567->4577 4581 4052b9 SendMessageA 4568->4581 4585 4052cf 4568->4585 4586 40443a SendMessageA 4569->4586 4587 40443a SendMessageA 4570->4587 4572->4567 4573->4541 4574->4560 4574->4565 4576->4567 4577->4567 4579 405395 4580 4053a0 InvalidateRect 4579->4580 4582 4053ac 4579->4582 4580->4582 4581->4585 4582->4555 4602 404d13 4582->4602 4584 405343 SendMessageA SendMessageA 4584->4585 4585->4579 4585->4584 4586->4545 4587->4542 4589 404db7 SendMessageA 4588->4589 4590 404d7b GetMessagePos ScreenToClient SendMessageA 4588->4590 4592 404daf 4589->4592 4591 404db4 4590->4591 4590->4592 4591->4589 4592->4566 4605 406388 lstrcpynA 4593->4605 4595 404deb 4606 4062e6 wsprintfA 4595->4606 4597 404df5 4598 40140b 2 API calls 4597->4598 4599 404dfe 4598->4599 4607 406388 lstrcpynA 4599->4607 4601 404e05 4601->4568 4608 404c4e 4602->4608 4604 404d28 4604->4555 4605->4595 4606->4597 4607->4601 4609 404c64 4608->4609 4610 40641b 17 API calls 4609->4610 4611 404cc8 4610->4611 4612 40641b 17 API calls 4611->4612 4613 404cd3 4612->4613 4614 40641b 17 API calls 4613->4614 4615 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4614->4615 4615->4604 4616 40298a 4617 402c17 17 API calls 4616->4617 4619 402990 4617->4619 4618 40641b 17 API calls 4620 4027c8 4618->4620 4619->4618 4619->4620 4621 403f0b 4622 403f23 4621->4622 4623 404084 4621->4623 4622->4623 4624 403f2f 4622->4624 4625 4040d5 4623->4625 4626 404095 GetDlgItem GetDlgItem 4623->4626 4627 403f3a SetWindowPos 4624->4627 4628 403f4d 4624->4628 4630 40412f 4625->4630 4641 401389 2 API calls 4625->4641 4629 404405 18 API calls 4626->4629 4627->4628 4632 403f56 ShowWindow 4628->4632 4633 403f98 4628->4633 4634 4040bf SetClassLongA 4629->4634 4631 404451 SendMessageA 4630->4631 4635 40407f 4630->4635 4662 404141 4631->4662 4636 404042 4632->4636 4637 403f76 GetWindowLongA 4632->4637 4638 403fa0 DestroyWindow 4633->4638 4639 403fb7 4633->4639 4640 40140b 2 API calls 4634->4640 4642 40446c 8 API calls 4636->4642 4637->4636 4643 403f8f ShowWindow 4637->4643 4691 40438e 4638->4691 4644 403fbc SetWindowLongA 4639->4644 4645 403fcd 4639->4645 4640->4625 4646 404107 4641->4646 4642->4635 4643->4633 4644->4635 4645->4636 4650 403fd9 GetDlgItem 4645->4650 4646->4630 4647 40410b SendMessageA 4646->4647 4647->4635 4648 40140b 2 API calls 4648->4662 4649 404390 DestroyWindow EndDialog 4649->4691 4652 404007 4650->4652 4653 403fea SendMessageA IsWindowEnabled 4650->4653 4651 4043bf ShowWindow 4651->4635 4655 404014 4652->4655 4656 40405b SendMessageA 4652->4656 4657 404027 4652->4657 4665 40400c 4652->4665 4653->4635 4653->4652 4654 40641b 17 API calls 4654->4662 4655->4656 4655->4665 4656->4636 4660 404044 4657->4660 4661 40402f 4657->4661 4658 4043de SendMessageA 4658->4636 4659 404405 18 API calls 4659->4662 4664 40140b 2 API calls 4660->4664 4663 40140b 2 API calls 4661->4663 4662->4635 4662->4648 4662->4649 4662->4654 4662->4659 4666 404405 18 API calls 4662->4666 4682 4042d0 DestroyWindow 4662->4682 4663->4665 4664->4665 4665->4636 4665->4658 4667 4041bc GetDlgItem 4666->4667 4668 4041d1 4667->4668 4669 4041d9 ShowWindow EnableWindow 4667->4669 4668->4669 4692 404427 EnableWindow 4669->4692 4671 404203 EnableWindow 4676 404217 4671->4676 4672 40421c GetSystemMenu EnableMenuItem SendMessageA 4673 40424c SendMessageA 4672->4673 4672->4676 4673->4676 4675 403eec 18 API calls 4675->4676 4676->4672 4676->4675 4693 40443a SendMessageA 4676->4693 4694 406388 lstrcpynA 4676->4694 4678 40427b lstrlenA 4679 40641b 17 API calls 4678->4679 4680 40428c SetWindowTextA 4679->4680 4681 401389 2 API calls 4680->4681 4681->4662 4683 4042ea CreateDialogParamA 4682->4683 4682->4691 4684 40431d 4683->4684 4683->4691 4685 404405 18 API calls 4684->4685 4686 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4685->4686 4687 401389 2 API calls 4686->4687 4688 40436e 4687->4688 4688->4635 4689 404376 ShowWindow 4688->4689 4690 404451 SendMessageA 4689->4690 4690->4691 4691->4635 4691->4651 4692->4671 4693->4676 4694->4678 4695 40260c 4696 402c39 17 API calls 4695->4696 4697 402613 4696->4697 4700 405f1b GetFileAttributesA CreateFileA 4697->4700 4699 40261f 4700->4699 3778 100010d0 GetVersionExA 3779 10001106 3778->3779 3794 100010fc 3778->3794 3780 10001122 LoadLibraryW 3779->3780 3781 1000110e 3779->3781 3783 1000113b GetProcAddress 3780->3783 3793 100011a5 3780->3793 3782 10001225 LoadLibraryA 3781->3782 3781->3794 3785 1000123d GetProcAddress GetProcAddress GetProcAddress 3782->3785 3782->3794 3784 1000114e LocalAlloc 3783->3784 3790 1000118e 3783->3790 3786 10001189 3784->3786 3788 10001323 FreeLibrary 3785->3788 3802 1000126b 3785->3802 3789 1000115c NtQuerySystemInformation 3786->3789 3786->3790 3787 1000119a FreeLibrary 3787->3793 3788->3794 3789->3787 3791 1000116f LocalFree 3789->3791 3790->3787 3791->3790 3795 10001180 LocalAlloc 3791->3795 3792 100011c1 WideCharToMultiByte lstrcmpiA 3792->3793 3793->3792 3793->3794 3796 10001217 LocalFree 3793->3796 3797 100011f7 3793->3797 3795->3786 3796->3794 3797->3793 3804 1000103f OpenProcess 3797->3804 3799 100012a2 lstrlenA 3799->3802 3800 1000131c CloseHandle 3800->3788 3801 100012c4 lstrcpynA lstrcmpiA 3801->3802 3802->3788 3802->3799 3802->3800 3802->3801 3803 1000103f 8 API calls 3802->3803 3803->3802 3805 10001060 3804->3805 3806 100010cb 3804->3806 3807 1000106b EnumWindows 3805->3807 3808 100010ac TerminateProcess 3805->3808 3806->3797 3807->3808 3809 1000107f GetExitCodeProcess 3807->3809 3814 10001007 GetWindowThreadProcessId 3807->3814 3810 100010be CloseHandle 3808->3810 3811 100010a7 3808->3811 3809->3811 3812 1000108e 3809->3812 3810->3806 3811->3810 3812->3811 3813 10001097 WaitForSingleObject 3812->3813 3813->3808 3813->3811 3815 10001024 PostMessageA 3814->3815 3816 10001036 3814->3816 3815->3816 4701 401490 4702 4054a9 24 API calls 4701->4702 4703 401497 4702->4703 4704 402590 4705 402c79 17 API calls 4704->4705 4706 40259a 4705->4706 4707 402c17 17 API calls 4706->4707 4708 4025a3 4707->4708 4709 4027c8 4708->4709 4710 4025ca RegEnumValueA 4708->4710 4711 4025be RegEnumKeyA 4708->4711 4712 4025df RegCloseKey 4710->4712 4711->4712 4712->4709 4714 406d91 4716 40690c 4714->4716 4715 407277 4716->4715 4716->4716 4717 406996 GlobalAlloc 4716->4717 4718 40698d GlobalFree 4716->4718 4719 406a04 GlobalFree 4716->4719 4720 406a0d GlobalAlloc 4716->4720 4717->4715 4717->4716 4718->4717 4719->4720 4720->4715 4720->4716 4721 404897 4722 4048c3 4721->4722 4723 4048d4 4721->4723 4782 405a82 GetDlgItemTextA 4722->4782 4725 4048e0 GetDlgItem 4723->4725 4726 40493f 4723->4726 4728 4048f4 4725->4728 4733 40641b 17 API calls 4726->4733 4742 404a23 4726->4742 4780 404bcd 4726->4780 4727 4048ce 4729 406666 5 API calls 4727->4729 4731 404908 SetWindowTextA 4728->4731 4732 405db3 4 API calls 4728->4732 4729->4723 4735 404405 18 API calls 4731->4735 4737 4048fe 4732->4737 4738 4049b3 SHBrowseForFolderA 4733->4738 4734 404a53 4739 405e08 18 API calls 4734->4739 4740 404924 4735->4740 4736 40446c 8 API calls 4741 404be1 4736->4741 4737->4731 4746 405d1a 3 API calls 4737->4746 4738->4742 4743 4049cb CoTaskMemFree 4738->4743 4744 404a59 4739->4744 4745 404405 18 API calls 4740->4745 4742->4780 4784 405a82 GetDlgItemTextA 4742->4784 4747 405d1a 3 API calls 4743->4747 4785 406388 lstrcpynA 4744->4785 4748 404932 4745->4748 4746->4731 4749 4049d8 4747->4749 4783 40443a SendMessageA 4748->4783 4752 404a0f SetDlgItemTextA 4749->4752 4757 40641b 17 API calls 4749->4757 4752->4742 4753 404938 4755 406794 5 API calls 4753->4755 4754 404a70 4756 406794 5 API calls 4754->4756 4755->4726 4763 404a77 4756->4763 4758 4049f7 lstrcmpiA 4757->4758 4758->4752 4761 404a08 lstrcatA 4758->4761 4759 404ab3 4786 406388 lstrcpynA 4759->4786 4761->4752 4762 404aba 4764 405db3 4 API calls 4762->4764 4763->4759 4767 405d61 2 API calls 4763->4767 4769 404b0b 4763->4769 4765 404ac0 GetDiskFreeSpaceA 4764->4765 4768 404ae4 MulDiv 4765->4768 4765->4769 4767->4763 4768->4769 4770 404b7c 4769->4770 4772 404d13 20 API calls 4769->4772 4771 404b9f 4770->4771 4773 40140b 2 API calls 4770->4773 4787 404427 EnableWindow 4771->4787 4774 404b69 4772->4774 4773->4771 4776 404b7e SetDlgItemTextA 4774->4776 4777 404b6e 4774->4777 4776->4770 4779 404c4e 20 API calls 4777->4779 4778 404bbb 4778->4780 4781 4047f0 SendMessageA 4778->4781 4779->4770 4780->4736 4781->4780 4782->4727 4783->4753 4784->4734 4785->4754 4786->4762 4787->4778 4788 40541d 4789 405441 4788->4789 4790 40542d 4788->4790 4793 405449 IsWindowVisible 4789->4793 4799 405460 4789->4799 4791 405433 4790->4791 4792 40548a 4790->4792 4794 404451 SendMessageA 4791->4794 4796 40548f CallWindowProcA 4792->4796 4793->4792 4795 405456 4793->4795 4797 40543d 4794->4797 4798 404d58 5 API calls 4795->4798 4796->4797 4798->4799 4799->4796 4800 404dd8 4 API calls 4799->4800 4800->4792 4801 40149d 4802 4014ab PostQuitMessage 4801->4802 4803 40238f 4801->4803 4802->4803 4804 40159d 4805 402c39 17 API calls 4804->4805 4806 4015a4 SetFileAttributesA 4805->4806 4807 4015b6 4806->4807 3997 40251e 4008 402c79 3997->4008 4000 402c39 17 API calls 4001 402531 4000->4001 4002 40253b RegQueryValueExA 4001->4002 4006 4027c8 4001->4006 4003 402561 RegCloseKey 4002->4003 4004 40255b 4002->4004 4003->4006 4004->4003 4013 4062e6 wsprintfA 4004->4013 4009 402c39 17 API calls 4008->4009 4010 402c90 4009->4010 4011 40620e RegOpenKeyExA 4010->4011 4012 402528 4011->4012 4012->4000 4013->4003 4808 401a1e 4809 402c39 17 API calls 4808->4809 4810 401a27 ExpandEnvironmentStringsA 4809->4810 4811 401a3b 4810->4811 4813 401a4e 4810->4813 4812 401a40 lstrcmpA 4811->4812 4811->4813 4812->4813 4819 40171f 4820 402c39 17 API calls 4819->4820 4821 401726 SearchPathA 4820->4821 4822 401741 4821->4822 4823 401d1f 4824 402c17 17 API calls 4823->4824 4825 401d26 4824->4825 4826 402c17 17 API calls 4825->4826 4827 401d32 GetDlgItem 4826->4827 4828 402628 4827->4828 4829 402aa0 SendMessageA 4830 402ac5 4829->4830 4831 402aba InvalidateRect 4829->4831 4831->4830 4832 10001363 4833 10001426 2 API calls 4832->4833 4834 1000138f 4833->4834 4835 100010d0 28 API calls 4834->4835 4836 10001399 4835->4836 4837 100014ba 3 API calls 4836->4837 4838 100013a2 4837->4838 4839 4023a4 4840 4023b2 4839->4840 4841 4023ac 4839->4841 4843 4023c2 4840->4843 4845 402c39 17 API calls 4840->4845 4842 402c39 17 API calls 4841->4842 4842->4840 4844 4023d0 4843->4844 4846 402c39 17 API calls 4843->4846 4847 402c39 17 API calls 4844->4847 4845->4843 4846->4844 4848 4023d9 WritePrivateProfileStringA 4847->4848 3286 4020a5 3287 4020b7 3286->3287 3288 402165 3286->3288 3304 402c39 3287->3304 3290 401423 24 API calls 3288->3290 3292 4022ea 3290->3292 3293 402c39 17 API calls 3294 4020c7 3293->3294 3295 4020dc LoadLibraryExA 3294->3295 3296 4020cf GetModuleHandleA 3294->3296 3295->3288 3297 4020ec GetProcAddress 3295->3297 3296->3295 3296->3297 3298 402138 3297->3298 3299 4020fb 3297->3299 3313 4054a9 3298->3313 3302 40210b 3299->3302 3310 401423 3299->3310 3302->3292 3303 402159 FreeLibrary 3302->3303 3303->3292 3305 402c45 3304->3305 3324 40641b 3305->3324 3307 4020be 3307->3293 3311 4054a9 24 API calls 3310->3311 3312 401431 3311->3312 3312->3302 3314 4054c4 3313->3314 3323 405567 3313->3323 3315 4054e1 lstrlenA 3314->3315 3316 40641b 17 API calls 3314->3316 3317 40550a 3315->3317 3318 4054ef lstrlenA 3315->3318 3316->3315 3320 405510 SetWindowTextA 3317->3320 3321 40551d 3317->3321 3319 405501 lstrcatA 3318->3319 3318->3323 3319->3317 3320->3321 3322 405523 SendMessageA SendMessageA SendMessageA 3321->3322 3321->3323 3322->3323 3323->3302 3325 406428 3324->3325 3326 40664d 3325->3326 3329 406627 lstrlenA 3325->3329 3330 40641b 10 API calls 3325->3330 3334 406543 GetSystemDirectoryA 3325->3334 3335 406556 GetWindowsDirectoryA 3325->3335 3336 406666 5 API calls 3325->3336 3337 40641b 10 API calls 3325->3337 3338 4065d0 lstrcatA 3325->3338 3339 40658a SHGetSpecialFolderLocation 3325->3339 3350 40626f 3325->3350 3355 4062e6 wsprintfA 3325->3355 3356 406388 lstrcpynA 3325->3356 3327 402c66 3326->3327 3357 406388 lstrcpynA 3326->3357 3327->3307 3341 406666 3327->3341 3329->3325 3330->3329 3334->3325 3335->3325 3336->3325 3337->3325 3338->3325 3339->3325 3340 4065a2 SHGetPathFromIDListA CoTaskMemFree 3339->3340 3340->3325 3348 406672 3341->3348 3342 4066da 3343 4066de CharPrevA 3342->3343 3345 4066f9 3342->3345 3343->3342 3344 4066cf CharNextA 3344->3342 3344->3348 3345->3307 3347 4066bd CharNextA 3347->3348 3348->3342 3348->3344 3348->3347 3349 4066ca CharNextA 3348->3349 3362 405d45 3348->3362 3349->3344 3358 40620e 3350->3358 3353 4062a3 RegQueryValueExA RegCloseKey 3354 4062d2 3353->3354 3354->3325 3355->3325 3356->3325 3357->3327 3359 40621d 3358->3359 3360 406221 3359->3360 3361 406226 RegOpenKeyExA 3359->3361 3360->3353 3360->3354 3361->3360 3363 405d4b 3362->3363 3364 405d5e 3363->3364 3365 405d51 CharNextA 3363->3365 3364->3348 3365->3363 4849 402e25 4850 402e34 SetTimer 4849->4850 4851 402e4d 4849->4851 4850->4851 4852 402e9b 4851->4852 4853 402ea1 MulDiv 4851->4853 4854 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4853->4854 4854->4852 4870 402429 4871 402430 4870->4871 4872 40245b 4870->4872 4873 402c79 17 API calls 4871->4873 4874 402c39 17 API calls 4872->4874 4875 402437 4873->4875 4876 402462 4874->4876 4878 402c39 17 API calls 4875->4878 4879 40246f 4875->4879 4881 402cf7 4876->4881 4880 402448 RegDeleteValueA RegCloseKey 4878->4880 4880->4879 4882 402d03 4881->4882 4883 402d0a 4881->4883 4882->4879 4883->4882 4885 402d3b 4883->4885 4886 40620e RegOpenKeyExA 4885->4886 4887 402d69 4886->4887 4888 402d79 RegEnumValueA 4887->4888 4889 402d9c 4887->4889 4896 402e13 4887->4896 4888->4889 4890 402e03 RegCloseKey 4888->4890 4889->4890 4891 402dd8 RegEnumKeyA 4889->4891 4892 402de1 RegCloseKey 4889->4892 4895 402d3b 6 API calls 4889->4895 4890->4896 4891->4889 4891->4892 4893 406794 5 API calls 4892->4893 4894 402df1 4893->4894 4894->4896 4897 402df5 RegDeleteKeyA 4894->4897 4895->4889 4896->4882 4897->4896 4898 4027aa 4899 402c39 17 API calls 4898->4899 4900 4027b1 FindFirstFileA 4899->4900 4901 4027d4 4900->4901 4902 4027c4 4900->4902 4903 4027db 4901->4903 4906 4062e6 wsprintfA 4901->4906 4907 406388 lstrcpynA 4903->4907 4906->4903 4907->4902 4908 403b2c 4909 403b37 4908->4909 4910 403b3b 4909->4910 4911 403b3e GlobalAlloc 4909->4911 4911->4910 4912 401c2e 4913 402c17 17 API calls 4912->4913 4914 401c35 4913->4914 4915 402c17 17 API calls 4914->4915 4916 401c42 4915->4916 4917 402c39 17 API calls 4916->4917 4918 401c57 4916->4918 4917->4918 4919 401c67 4918->4919 4920 402c39 17 API calls 4918->4920 4921 401c72 4919->4921 4922 401cbe 4919->4922 4920->4919 4924 402c17 17 API calls 4921->4924 4923 402c39 17 API calls 4922->4923 4925 401cc3 4923->4925 4926 401c77 4924->4926 4927 402c39 17 API calls 4925->4927 4928 402c17 17 API calls 4926->4928 4929 401ccc FindWindowExA 4927->4929 4930 401c83 4928->4930 4933 401cea 4929->4933 4931 401c90 SendMessageTimeoutA 4930->4931 4932 401cae SendMessageA 4930->4932 4931->4933 4932->4933 4934 40262e 4935 402633 4934->4935 4936 402647 4934->4936 4937 402c17 17 API calls 4935->4937 4938 402c39 17 API calls 4936->4938 4940 40263c 4937->4940 4939 40264e lstrlenA 4938->4939 4939->4940 4941 402670 4940->4941 4942 405fc2 WriteFile 4940->4942 4942->4941 3817 401932 3818 401934 3817->3818 3819 402c39 17 API calls 3818->3819 3820 401939 3819->3820 3823 405b4a 3820->3823 3824 405e08 18 API calls 3823->3824 3825 405b6a 3824->3825 3826 405b72 DeleteFileA 3825->3826 3827 405b89 3825->3827 3856 401942 3826->3856 3828 405cb7 3827->3828 3860 406388 lstrcpynA 3827->3860 3833 4066ff 2 API calls 3828->3833 3828->3856 3830 405baf 3831 405bc2 3830->3831 3832 405bb5 lstrcatA 3830->3832 3835 405d61 2 API calls 3831->3835 3834 405bc8 3832->3834 3836 405cdb 3833->3836 3837 405bd6 lstrcatA 3834->3837 3838 405be1 lstrlenA FindFirstFileA 3834->3838 3835->3834 3839 405d1a 3 API calls 3836->3839 3836->3856 3837->3838 3838->3828 3847 405c05 3838->3847 3841 405ce5 3839->3841 3840 405d45 CharNextA 3840->3847 3842 405b02 5 API calls 3841->3842 3843 405cf1 3842->3843 3844 405cf5 3843->3844 3845 405d0b 3843->3845 3851 4054a9 24 API calls 3844->3851 3844->3856 3846 4054a9 24 API calls 3845->3846 3846->3856 3847->3840 3848 405c96 FindNextFileA 3847->3848 3855 405b4a 60 API calls 3847->3855 3857 4054a9 24 API calls 3847->3857 3858 4054a9 24 API calls 3847->3858 3859 406161 36 API calls 3847->3859 3861 406388 lstrcpynA 3847->3861 3862 405b02 3847->3862 3848->3847 3850 405cae FindClose 3848->3850 3850->3828 3852 405d02 3851->3852 3853 406161 36 API calls 3852->3853 3853->3856 3855->3847 3857->3848 3858->3847 3859->3847 3860->3830 3861->3847 3870 405ef6 GetFileAttributesA 3862->3870 3865 405b2f 3865->3847 3866 405b25 DeleteFileA 3868 405b2b 3866->3868 3867 405b1d RemoveDirectoryA 3867->3868 3868->3865 3869 405b3b SetFileAttributesA 3868->3869 3869->3865 3871 405b0e 3870->3871 3872 405f08 SetFileAttributesA 3870->3872 3871->3865 3871->3866 3871->3867 3872->3871 4943 402733 4944 40273a 4943->4944 4946 402a47 4943->4946 4945 402c17 17 API calls 4944->4945 4947 402741 4945->4947 4948 402750 SetFilePointer 4947->4948 4948->4946 4949 402760 4948->4949 4951 4062e6 wsprintfA 4949->4951 4951->4946 4952 401e35 GetDC 4953 402c17 17 API calls 4952->4953 4954 401e47 GetDeviceCaps MulDiv ReleaseDC 4953->4954 4955 402c17 17 API calls 4954->4955 4956 401e78 4955->4956 4957 40641b 17 API calls 4956->4957 4958 401eb5 CreateFontIndirectA 4957->4958 4959 402628 4958->4959 4960 4014b7 4961 4014bd 4960->4961 4962 401389 2 API calls 4961->4962 4963 4014c5 4962->4963 3935 4015bb 3936 402c39 17 API calls 3935->3936 3937 4015c2 3936->3937 3938 405db3 4 API calls 3937->3938 3948 4015ca 3938->3948 3939 401624 3941 401652 3939->3941 3942 401629 3939->3942 3940 405d45 CharNextA 3940->3948 3944 401423 24 API calls 3941->3944 3943 401423 24 API calls 3942->3943 3945 401630 3943->3945 3951 40164a 3944->3951 3955 406388 lstrcpynA 3945->3955 3946 4059ec 2 API calls 3946->3948 3948->3939 3948->3940 3948->3946 3949 405a09 5 API calls 3948->3949 3952 40160c GetFileAttributesA 3948->3952 3954 4015f3 3948->3954 3949->3948 3950 40163b SetCurrentDirectoryA 3950->3951 3952->3948 3953 40596f 4 API calls 3953->3954 3954->3948 3954->3953 3955->3950 4964 40453b lstrcpynA lstrlenA 4965 4016bb 4966 402c39 17 API calls 4965->4966 4967 4016c1 GetFullPathNameA 4966->4967 4968 4016d8 4967->4968 4974 4016f9 4967->4974 4971 4066ff 2 API calls 4968->4971 4968->4974 4969 402ac5 4970 40170d GetShortPathNameA 4970->4969 4972 4016e9 4971->4972 4972->4974 4975 406388 lstrcpynA 4972->4975 4974->4969 4974->4970 4975->4974

                      Executed Functions

                      Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 18 4035e5 11->18 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 18->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 32 40362d 27->32 32->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 66 403772 47->66 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 55 403734-403762 51->55 56 403724-40372a 51->56 60 4036e7-4036e9 52->60 61 4036eb 52->61 69 403821-403827 53->69 70 4038ae-4038bf ExitProcess OleUninitialize 53->70 54->53 68 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->68 55->47 65 40377f-40378c call 406388 55->65 62 403730 56->62 63 40372c-40372e 56->63 60->51 60->61 61->51 62->55 63->55 63->62 65->43 66->38 68->53 68->70 73 403829-403834 call 405d45 69->73 74 40389f-4038a6 call 403b6e 69->74 75 4038c5-4038d4 call 405a9e ExitProcess 70->75 76 4039e8-4039ee 70->76 91 403836-40385f 73->91 92 40386a-403873 73->92 85 4038ab 74->85 77 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->77 78 403a66-403a6e 76->78 83 403a36-403a44 call 406794 77->83 84 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 77->84 87 403a70 78->87 88 403a73-403a76 ExitProcess 78->88 99 403a52-403a5d ExitWindowsEx 83->99 100 403a46-403a50 83->100 84->83 85->70 87->88 96 403861-403863 91->96 93 403875-403883 call 405e08 92->93 94 4038da-4038ee call 405a09 lstrcatA 92->94 93->70 107 403885-40389b call 406388 * 2 93->107 105 4038f0-4038f6 lstrcatA 94->105 106 4038fb-403915 lstrcatA lstrcmpiA 94->106 96->92 101 403865-403868 96->101 99->78 104 403a5f-403a61 call 40140b 99->104 100->99 100->104 101->92 101->96 104->78 105->106 106->70 110 403917-40391a 106->110 107->74 112 403923 call 4059ec 110->112 113 40391c-403921 call 40596f 110->113 120 403928-403936 SetCurrentDirectoryA 112->120 113->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->70 141->129
                      APIs
                      • SetErrorMode.KERNEL32(00008001), ref: 004034EF
                      • GetVersionExA.KERNEL32(?), ref: 00403518
                      • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                      • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                      • OleInitialize.OLE32(00000000), ref: 0040363C
                      • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                      • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                      • CharNextA.USER32(00000000,C:\Users\user\AppData\Local\Temp\FD47.exe,00000020,C:\Users\user\AppData\Local\Temp\FD47.exe,00000000,?,00000007,00000009,0000000B), ref: 004036A9
                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                      • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                      • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                      • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                      • DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
                      • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                      • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                      • ExitProcess.KERNEL32 ref: 004038D4
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\FD47.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\FD47.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\FD47.exe,00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                      • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                      • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                      • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\FD47.exe,0041F910,00000001), ref: 0040399B
                      • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                      • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                      • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                      • ExitProcess.KERNEL32 ref: 00403A76
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                      • String ID: "$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\FD47.exe$C:\Users\user\AppData\Local\Temp\FD47.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\update$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                      • API String ID: 2882342585-750371197
                      • Opcode ID: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                      • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                      • Opcode Fuzzy Hash: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                      • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                      Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 216 100010d0-100010fa GetVersionExA 217 10001106-1000110c 216->217 218 100010fc-10001101 216->218 220 10001122-10001139 LoadLibraryW 217->220 221 1000110e-10001112 217->221 219 1000135d-10001362 218->219 224 100011a5 220->224 225 1000113b-1000114c GetProcAddress 220->225 222 10001225-10001237 LoadLibraryA 221->222 223 10001118-1000111d 221->223 228 10001332-10001337 222->228 229 1000123d-10001265 GetProcAddress * 3 222->229 231 1000135b-1000135c 223->231 230 100011aa-100011ae 224->230 226 10001195 225->226 227 1000114e-1000115a LocalAlloc 225->227 233 1000119a-100011a3 FreeLibrary 226->233 232 10001189-1000118c 227->232 228->231 234 10001323-10001326 FreeLibrary 229->234 235 1000126b-1000126d 229->235 236 100011b0-100011b2 230->236 237 100011b7 230->237 231->219 238 1000115c-1000116d NtQuerySystemInformation 232->238 239 1000118e-10001193 232->239 233->230 242 1000132c-10001330 234->242 235->234 240 10001273-10001275 235->240 236->231 241 100011ba-100011bf 237->241 238->233 243 1000116f-1000117e LocalFree 238->243 239->233 240->234 244 1000127b-10001286 240->244 245 100011c1-100011ec WideCharToMultiByte lstrcmpiA 241->245 246 1000120d-10001211 241->246 242->228 247 10001339-1000133d 242->247 243->239 250 10001180-10001187 LocalAlloc 243->250 244->234 260 1000128c-100012a0 244->260 245->246 253 100011ee-100011f5 245->253 251 10001213-10001215 246->251 252 10001217-10001220 LocalFree 246->252 248 10001359 247->248 249 1000133f-10001343 247->249 248->231 254 10001345-1000134a 249->254 255 1000134c-10001350 249->255 250->232 251->241 252->242 253->252 257 100011f7-1000120a call 1000103f 253->257 254->231 255->248 259 10001352-10001357 255->259 257->246 259->231 263 10001318-1000131a 260->263 264 100012a2-100012b6 lstrlenA 263->264 265 1000131c-1000131d CloseHandle 263->265 266 100012bd-100012c2 264->266 265->234 267 100012c4-100012ea lstrcpynA lstrcmpiA 266->267 268 100012b8-100012ba 266->268 270 100012ec-100012f3 267->270 271 1000130e-10001315 267->271 268->267 269 100012bc 268->269 269->266 270->265 272 100012f5-1000130b call 1000103f 270->272 271->263 272->271
                      APIs
                      • GetVersionExA.KERNEL32(?), ref: 100010F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3858416277.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000007.00000002.3846462996.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      • Associated: 00000007.00000002.3869595753.0000000010002000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      • Associated: 00000007.00000002.3889325330.0000000010004000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_10000000_FD47.jbxd
                      Similarity
                      • API ID: Version
                      • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                      • API String ID: 1889659487-877962304
                      • Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                      • Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
                      • Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                      • Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50
                      Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 446 405b4a-405b70 call 405e08 449 405b72-405b84 DeleteFileA 446->449 450 405b89-405b90 446->450 451 405d13-405d17 449->451 452 405b92-405b94 450->452 453 405ba3-405bb3 call 406388 450->453 454 405cc1-405cc6 452->454 455 405b9a-405b9d 452->455 461 405bc2-405bc3 call 405d61 453->461 462 405bb5-405bc0 lstrcatA 453->462 454->451 457 405cc8-405ccb 454->457 455->453 455->454 459 405cd5-405cdd call 4066ff 457->459 460 405ccd-405cd3 457->460 459->451 470 405cdf-405cf3 call 405d1a call 405b02 459->470 460->451 464 405bc8-405bcb 461->464 462->464 467 405bd6-405bdc lstrcatA 464->467 468 405bcd-405bd4 464->468 469 405be1-405bff lstrlenA FindFirstFileA 467->469 468->467 468->469 471 405c05-405c1c call 405d45 469->471 472 405cb7-405cbb 469->472 485 405cf5-405cf8 470->485 486 405d0b-405d0e call 4054a9 470->486 479 405c27-405c2a 471->479 480 405c1e-405c22 471->480 472->454 474 405cbd 472->474 474->454 483 405c2c-405c31 479->483 484 405c3d-405c4b call 406388 479->484 480->479 482 405c24 480->482 482->479 488 405c33-405c35 483->488 489 405c96-405ca8 FindNextFileA 483->489 497 405c62-405c6d call 405b02 484->497 498 405c4d-405c55 484->498 485->460 491 405cfa-405d09 call 4054a9 call 406161 485->491 486->451 488->484 492 405c37-405c3b 488->492 489->471 494 405cae-405cb1 FindClose 489->494 491->451 492->484 492->489 494->472 506 405c8e-405c91 call 4054a9 497->506 507 405c6f-405c72 497->507 498->489 501 405c57-405c60 call 405b4a 498->501 501->489 506->489 508 405c74-405c84 call 4054a9 call 406161 507->508 509 405c86-405c8c 507->509 508->489 509->489
                      APIs
                      • DeleteFileA.KERNEL32(?,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405B73
                      • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405BBB
                      • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405BDC
                      • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405BE2
                      • FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405BF3
                      • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                      • FindClose.KERNEL32(00000000), ref: 00405CB1
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\FD47.exe$\*.*
                      • API String ID: 2035342205-2894130919
                      • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                      • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                      • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                      • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                      Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 713 406a88-406a8d 714 406afe-406b1c 713->714 715 406a8f-406abe 713->715 716 4070f4-407109 714->716 717 406ac0-406ac3 715->717 718 406ac5-406ac9 715->718 719 407123-407139 716->719 720 40710b-407121 716->720 721 406ad5-406ad8 717->721 722 406ad1 718->722 723 406acb-406acf 718->723 724 40713c-407143 719->724 720->724 725 406af6-406af9 721->725 726 406ada-406ae3 721->726 722->721 723->721 728 407145-407149 724->728 729 40716a-407176 724->729 727 406ccb-406ce9 725->727 730 406ae5 726->730 731 406ae8-406af4 726->731 732 406d01-406d13 727->732 733 406ceb-406cff 727->733 734 4072f8-407302 728->734 735 40714f-407167 728->735 742 40690c-406915 729->742 730->731 737 406b5e-406b8c 731->737 741 406d16-406d20 732->741 733->741 740 40730e-407321 734->740 735->729 738 406ba8-406bc2 737->738 739 406b8e-406ba6 737->739 743 406bc5-406bcf 738->743 739->743 748 407326-40732a 740->748 746 406d22 741->746 747 406cc3-406cc9 741->747 744 407323 742->744 745 40691b 742->745 750 406bd5 743->750 751 406b46-406b4c 743->751 744->748 752 406922-406926 745->752 753 406a62-406a83 745->753 754 4069c7-4069cb 745->754 755 406a37-406a3b 745->755 756 406e33-406e40 746->756 757 406c9e-406ca2 746->757 747->727 749 406c67-406c71 747->749 758 4072b6-4072c0 749->758 759 406c77-406c99 749->759 771 407292-40729c 750->771 772 406b2b-406b43 750->772 760 406b52-406b58 751->760 761 406bff-406c05 751->761 752->740 768 40692c-406939 752->768 753->716 762 4069d1-4069ea 754->762 763 407277-407281 754->763 769 406a41-406a55 755->769 770 407286-407290 755->770 756->742 767 406e8f-406e9e 756->767 764 406ca8-406cc0 757->764 765 4072aa-4072b4 757->765 758->740 759->756 760->737 773 406c63 760->773 761->773 775 406c07-406c25 761->775 776 4069ed-4069f1 762->776 763->740 764->747 765->740 767->716 768->744 774 40693f-406985 768->774 777 406a58-406a60 769->777 770->740 771->740 772->751 773->749 779 406987-40698b 774->779 780 4069ad-4069af 774->780 781 406c27-406c3b 775->781 782 406c3d-406c4f 775->782 776->754 778 4069f3-4069f9 776->778 777->753 777->755 788 406a23-406a35 778->788 789 4069fb-406a02 778->789 783 406996-4069a4 GlobalAlloc 779->783 784 40698d-406990 GlobalFree 779->784 786 4069b1-4069bb 780->786 787 4069bd-4069c5 780->787 785 406c52-406c5c 781->785 782->785 783->744 790 4069aa 783->790 784->783 785->761 791 406c5e 785->791 786->786 786->787 787->776 788->777 792 406a04-406a07 GlobalFree 789->792 793 406a0d-406a1d GlobalAlloc 789->793 790->780 795 406be4-406bfc 791->795 796 40729e-4072a8 791->796 792->793 793->744 793->788 795->761 796->740
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                      • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                      • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                      • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                      Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(74DF3410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 0040670A
                      • FindClose.KERNEL32(00000000), ref: 00406716
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID: C:\
                      • API String ID: 2295610775-3404278061
                      • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                      • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                      • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                      • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                      Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 155 403bee-403c17 call 403e33 call 405e08 145->155 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->155 151->150 160 403c1d-403c22 155->160 161 403c9e-403ca6 call 405e08 155->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 169 403c4a-403c4c 162->169 171 403d5a-403d62 call 40140b 166->171 172 403cdb-403d0b RegisterClassA 166->172 167->166 173 403c5d-403c69 lstrlenA 169->173 174 403c4e-403c5b call 405d45 169->174 185 403d64-403d67 171->185 186 403d6c-403d77 call 403e33 171->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 172->175 176 403e29 172->176 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->171 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 203 403e22-403e24 call 40140b 195->203 204 403e0a-403e10 195->204 201 403da3-403db5 GetClassInfoA 196->201 202 403d99-403d9e call 406726 196->202 207 403db7-403dc7 GetClassInfoA RegisterClassA 201->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 201->208 202->201 203->176 204->185 209 403e16-403e1d call 40140b 204->209 207->208 208->179 209->185
                      APIs
                        • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                        • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                      • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\AppData\Local\Temp\FD47.exe,00000009,0000000B), ref: 00403BE9
                      • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,?,?,C:\Windows\wininit.ini,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410), ref: 00403C5E
                      • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                      • GetFileAttributesA.KERNEL32(C:\Windows\wininit.ini,?,C:\Users\user\AppData\Local\Temp\FD47.exe,00000009,0000000B), ref: 00403C7C
                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                        • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                      • RegisterClassA.USER32(00423EE0), ref: 00403D02
                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                      • ShowWindow.USER32(00000005,00000000,?,C:\Users\user\AppData\Local\Temp\FD47.exe,00000009,0000000B), ref: 00403D85
                      • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                      • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                      • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                      • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                      • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\FD47.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                      • API String ID: 1975747703-1410561585
                      • Opcode ID: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                      • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                      • Opcode Fuzzy Hash: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                      • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                      Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 275 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 278 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 275->278 279 402fac-402fb1 275->279 287 402fea 278->287 288 4030cf-4030dd call 402ebd 278->288 280 4031f6-4031fa 279->280 290 402fef-403006 287->290 295 4030e3-4030e6 288->295 296 4031ae-4031b3 288->296 292 403008 290->292 293 40300a-403013 call 40346e 290->293 292->293 300 403019-403020 293->300 301 40316a-403172 call 402ebd 293->301 298 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 295->298 299 4030e8-403100 call 403484 call 40346e 295->299 296->280 326 403160-403165 298->326 327 403174-4031a4 call 403484 call 4031fd 298->327 299->296 321 403106-40310c 299->321 305 403022-403036 call 405ed6 300->305 306 40309c-4030a0 300->306 301->296 311 4030aa-4030b0 305->311 324 403038-40303f 305->324 310 4030a2-4030a9 call 402ebd 306->310 306->311 310->311 317 4030b2-4030bc call 40684b 311->317 318 4030bf-4030c7 311->318 317->318 318->290 325 4030cd 318->325 321->296 321->298 324->311 329 403041-403048 324->329 325->288 326->280 335 4031a9-4031ac 327->335 329->311 331 40304a-403051 329->331 331->311 334 403053-40305a 331->334 334->311 336 40305c-40307c 334->336 335->296 337 4031b5-4031c6 335->337 336->296 338 403082-403086 336->338 339 4031c8 337->339 340 4031ce-4031d3 337->340 341 403088-40308c 338->341 342 40308e-403096 338->342 339->340 343 4031d4-4031da 340->343 341->325 341->342 342->311 344 403098-40309a 342->344 343->343 345 4031dc-4031f4 call 405ed6 343->345 344->311 345->280
                      APIs
                      • GetTickCount.KERNEL32 ref: 00402F70
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\FD47.exe,00000400), ref: 00402F8C
                        • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\FD47.exe,80000000,00000003), ref: 00405F1F
                        • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                      • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\FD47.exe,C:\Users\user\AppData\Local\Temp\FD47.exe,80000000,00000003), ref: 00402FD5
                      • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                      Strings
                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                      • Error launching installer, xrefs: 00402FAC
                      • soft, xrefs: 0040304A
                      • Inst, xrefs: 00403041
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                      • C:\Users\user\AppData\Local\Temp\FD47.exe, xrefs: 00402F65
                      • Null, xrefs: 00403053
                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                      • C:\Users\user\AppData\Local\Temp\FD47.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                      • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\FD47.exe$C:\Users\user\AppData\Local\Temp\FD47.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                      • API String ID: 2803837635-2433852538
                      • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                      • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                      • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                      • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                      Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 348 405ff1-406015 349 406017-40602f call 405f1b CloseHandle GetShortPathNameA 348->349 350 40603d-40604c GetShortPathNameA 348->350 353 40615c-406160 349->353 357 406035-406037 349->357 352 406052-406054 350->352 350->353 352->353 355 40605a-406098 wsprintfA call 40641b call 405f1b 352->355 355->353 361 40609e-4060ba GetFileSize GlobalAlloc 355->361 357->350 357->353 362 4060c0-4060ca call 405f93 361->362 363 406155-406156 CloseHandle 361->363 362->363 366 4060d0-4060dd call 405e80 362->366 363->353 369 4060f3-406105 call 405e80 366->369 370 4060df-4060f1 lstrcpyA 366->370 376 406124 369->376 377 406107-40610d 369->377 371 406128 370->371 373 40612a-40614f call 405ed6 SetFilePointer call 405fc2 GlobalFree 371->373 373->363 376->371 378 406115-406117 377->378 380 406119-406122 378->380 381 40610f-406114 378->381 380->373 381->378
                      APIs
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                      • GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                        • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                        • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                      • GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                      • wsprintfA.USER32 ref: 00406066
                      • GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                      • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                      • GlobalFree.KERNEL32(00000000), ref: 0040614F
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                        • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\FD47.exe,80000000,00000003), ref: 00405F1F
                        • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                      • String ID: %s=%s$C:\Windows\wininit.ini$NUL$NUL=C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\$[Rename]
                      • API String ID: 2171350718-3652668546
                      • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                      • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                      • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                      • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                      Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 384 40641b-406426 385 406428-406437 384->385 386 406439-40644f 384->386 385->386 387 406643-406647 386->387 388 406455-406460 386->388 390 406472-40647c 387->390 391 40664d-406657 387->391 388->387 389 406466-40646d 388->389 389->387 390->391 392 406482-406489 390->392 393 406662-406663 391->393 394 406659-40665d call 406388 391->394 395 406636 392->395 396 40648f-4064c3 392->396 394->393 398 406640-406642 395->398 399 406638-40663e 395->399 400 4065e3-4065e6 396->400 401 4064c9-4064d3 396->401 398->387 399->387 404 406616-406619 400->404 405 4065e8-4065eb 400->405 402 4064f0 401->402 403 4064d5-4064de 401->403 411 4064f7-4064fe 402->411 403->402 408 4064e0-4064e3 403->408 406 406627-406634 lstrlenA 404->406 407 40661b-406622 call 40641b 404->407 409 4065fb-406607 call 406388 405->409 410 4065ed-4065f9 call 4062e6 405->410 406->387 407->406 408->402 413 4064e5-4064e8 408->413 422 40660c-406612 409->422 410->422 415 406500-406502 411->415 416 406503-406505 411->416 413->402 418 4064ea-4064ee 413->418 415->416 420 406507-40652a call 40626f 416->420 421 40653e-406541 416->421 418->411 432 406530-406539 call 40641b 420->432 433 4065ca-4065ce 420->433 425 406551-406554 421->425 426 406543-40654f GetSystemDirectoryA 421->426 422->406 424 406614 422->424 428 4065db-4065e1 call 406666 424->428 430 4065c1-4065c3 425->430 431 406556-406564 GetWindowsDirectoryA 425->431 429 4065c5-4065c8 426->429 428->406 429->428 429->433 430->429 434 406566-406570 430->434 431->430 432->429 433->428 437 4065d0-4065d6 lstrcatA 433->437 439 406572-406575 434->439 440 40658a-4065a0 SHGetSpecialFolderLocation 434->440 437->428 439->440 442 406577-40657e 439->442 443 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 440->443 444 4065be 440->444 445 406586-406588 442->445 443->429 443->444 444->430 445->429 445->440
                      APIs
                      • GetSystemDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400), ref: 00406549
                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                      • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                      • SHGetPathFromIDListA.SHELL32(00000000,C:\Windows\wininit.ini), ref: 004065A6
                      • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                      • lstrcatA.KERNEL32(C:\Windows\wininit.ini,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                      • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                      • String ID: C:\Windows\wininit.ini$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                      • API String ID: 717251189-1428620962
                      • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                      • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                      • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                      • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                      Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 00401798
                      • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 004017C2
                        • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                      • String ID: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall\update
                      • API String ID: 1941528284-119878626
                      • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                      • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                      • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                      • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                      Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 582 406726-406746 GetSystemDirectoryA 583 406748 582->583 584 40674a-40674c 582->584 583->584 585 40675c-40675e 584->585 586 40674e-406756 584->586 588 40675f-406791 wsprintfA LoadLibraryExA 585->588 586->585 587 406758-40675a 586->587 587->588
                      APIs
                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                      • wsprintfA.USER32 ref: 00406776
                      • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: DirectoryLibraryLoadSystemwsprintf
                      • String ID: %s%s.dll$UXTHEME$\
                      • API String ID: 2200240437-4240819195
                      • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                      • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                      • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                      • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                      Function 004068D9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 589 4068d9-4068fc 590 406906-406909 589->590 591 4068fe-406901 589->591 593 40690c-406915 590->593 592 407326-40732a 591->592 594 407323 593->594 595 40691b 593->595 594->592 596 406922-406926 595->596 597 406a62-407109 595->597 598 4069c7-4069cb 595->598 599 406a37-406a3b 595->599 603 40692c-406939 596->603 604 40730e-407321 596->604 608 407123-407139 597->608 609 40710b-407121 597->609 601 4069d1-4069ea 598->601 602 407277-407281 598->602 605 406a41-406a55 599->605 606 407286-407290 599->606 607 4069ed-4069f1 601->607 602->604 603->594 610 40693f-406985 603->610 604->592 611 406a58-406a60 605->611 606->604 607->598 613 4069f3-4069f9 607->613 612 40713c-407143 608->612 609->612 614 406987-40698b 610->614 615 4069ad-4069af 610->615 611->597 611->599 620 407145-407149 612->620 621 40716a-407176 612->621 618 406a23-406a35 613->618 619 4069fb-406a02 613->619 622 406996-4069a4 GlobalAlloc 614->622 623 40698d-406990 GlobalFree 614->623 616 4069b1-4069bb 615->616 617 4069bd-4069c5 615->617 616->616 616->617 617->607 618->611 625 406a04-406a07 GlobalFree 619->625 626 406a0d-406a1d GlobalAlloc 619->626 627 4072f8-407302 620->627 628 40714f-407167 620->628 621->593 622->594 624 4069aa 622->624 623->622 624->615 625->626 626->594 626->618 627->604 628->621
                      Strings
                      • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 004068E3
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                      • API String ID: 0-292220189
                      • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                      • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                      • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                      • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                      Function 00403305 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 630 403305-40332d GetTickCount 631 403333-40335e call 403484 SetFilePointer 630->631 632 40345d-403465 call 402ebd 630->632 638 403363-403375 631->638 637 403467-40346b 632->637 639 403377 638->639 640 403379-403387 call 40346e 638->640 639->640 643 40338d-403399 640->643 644 40344f-403452 640->644 645 40339f-4033a5 643->645 644->637 646 4033d0-4033ec call 4068d9 645->646 647 4033a7-4033ad 645->647 653 403458 646->653 654 4033ee-4033f6 646->654 647->646 648 4033af-4033cf call 402ebd 647->648 648->646 655 40345a-40345b 653->655 656 4033f8-403400 call 405fc2 654->656 657 403419-40341f 654->657 655->637 661 403405-403407 656->661 657->653 659 403421-403423 657->659 659->653 660 403425-403438 659->660 660->638 662 40343e-40344d SetFilePointer 660->662 663 403454-403456 661->663 664 403409-403415 661->664 662->632 663->655 664->645 665 403417 664->665 665->660
                      APIs
                      • GetTickCount.KERNEL32 ref: 00403319
                        • Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                      • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                      • SetFilePointer.KERNEL32(?,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                      Strings
                      • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403379, 0040337F
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: FilePointer$CountTick
                      • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                      • API String ID: 1092082344-292220189
                      • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                      • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                      • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                      • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                      Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 666 405f4a-405f54 667 405f55-405f80 GetTickCount GetTempFileNameA 666->667 668 405f82-405f84 667->668 669 405f8f-405f91 667->669 668->667 671 405f86 668->671 670 405f89-405f8c 669->670 671->670
                      APIs
                      • GetTickCount.KERNEL32 ref: 00405F5E
                      • GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CountFileNameTempTick
                      • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                      • API String ID: 1716503409-678247507
                      • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                      • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                      • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                      • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                      Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 672 4020a5-4020b1 673 4020b7-4020cd call 402c39 * 2 672->673 674 40216c-40216e 672->674 684 4020dc-4020ea LoadLibraryExA 673->684 685 4020cf-4020da GetModuleHandleA 673->685 675 4022e5-4022ea call 401423 674->675 681 402ac5-402ad4 675->681 686 4020ec-4020f9 GetProcAddress 684->686 687 402165-402167 684->687 685->684 685->686 689 402138-40213d call 4054a9 686->689 690 4020fb-402101 686->690 687->675 695 402142-402145 689->695 691 402103-40210f call 401423 690->691 692 40211a-402136 690->692 691->695 703 402111-402118 691->703 692->695 695->681 698 40214b-402153 call 403b0e 695->698 698->681 702 402159-402160 FreeLibrary 698->702 702->681 703->695
                      APIs
                      • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                      • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                      • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                      • String ID:
                      • API String ID: 2987980305-0
                      • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                      • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                      • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                      • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                      Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 704 403a7c-403a8b 705 403a97-403a9f 704->705 706 403a8d-403a90 CloseHandle 704->706 707 403aa1-403aa4 CloseHandle 705->707 708 403aab-403ab7 call 403ad9 call 405b4a 705->708 706->705 707->708 712 403abc-403abd 708->712
                      APIs
                      • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                      • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                      • C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\, xrefs: 00403AB2
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\
                      • API String ID: 2962429428-3482683857
                      • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                      • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                      • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                      • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                      Function 004031FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                      Strings
                      • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403277, 0040328E, 004032A4
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                      • API String ID: 973152223-292220189
                      • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                      • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                      • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                      • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                      Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405DC1
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                      • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                        • Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                      • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,000000F0), ref: 0040163C
                      Strings
                      • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401631
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                      • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                      • API String ID: 1892508949-3327167313
                      • Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                      • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                      • Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                      • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                      Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                        • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405DC1
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                      • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405E5B
                      • GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 00405E6B
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                      • String ID: C:\
                      • API String ID: 3248276644-3404278061
                      • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                      • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                      • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                      • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                      Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                      • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                      • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                      • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                      Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                      • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                      • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                      • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                      Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                      • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                      • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                      • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                      Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                      • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                      • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                      • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                      Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                      • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                      • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                      • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                      Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                      • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                      • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                      • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                      Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                      • RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                      • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CloseValuelstrlen
                      • String ID:
                      • API String ID: 2655323295-0
                      • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                      • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                      • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                      • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                      Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                      • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                      • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Enum$CloseValue
                      • String ID:
                      • API String ID: 397863658-0
                      • Opcode ID: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                      • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                      • Opcode Fuzzy Hash: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                      • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                      Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                        • Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                      • RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
                      • DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: File$Attributes$DeleteDirectoryRemove
                      • String ID:
                      • API String ID: 1655745494-0
                      • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                      • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                      • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                      • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                      Function 00406809 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                      • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040682F
                      • GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: ObjectSingleWait$CodeExitProcess
                      • String ID:
                      • API String ID: 2567322000-0
                      • Opcode ID: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                      • Instruction ID: abee92fc01d0549169be82d64ea8a54f8020188e09ec540bf7ef67874f21f581
                      • Opcode Fuzzy Hash: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                      • Instruction Fuzzy Hash: 9DE0D832600118FBDB00AB54DD05E9E7F6EEB44704F114033F601B6190C7B59E21DB98
                      Function 00405F93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,0040B8F8,00403481,00000009,00000009,00403385,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F), ref: 00405FA7
                      Strings
                      • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405F96
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                      • API String ID: 2738559852-292220189
                      • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                      • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                      • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                      • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                      Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
                      • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CloseQueryValue
                      • String ID:
                      • API String ID: 3356406503-0
                      • Opcode ID: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                      • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                      • Opcode Fuzzy Hash: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                      • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                      Download Yara Rule
                      APIs
                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                      • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                      • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                      • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                      Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                      • CloseHandle.KERNEL32(?), ref: 00405A57
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CloseCreateHandleProcess
                      • String ID:
                      • API String ID: 3712363035-0
                      • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                      • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                      • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                      • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                      Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                      • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                        • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                        • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                        • Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                      • String ID:
                      • API String ID: 2547128583-0
                      • Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                      • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                      • Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                      • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                      Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\FD47.exe,80000000,00000003), ref: 00405F1F
                      • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: File$AttributesCreate
                      • String ID:
                      • API String ID: 415043291-0
                      • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                      • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                      • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                      • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                      Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                      • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                      • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                      • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                      Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                      • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CreateDirectoryErrorLast
                      • String ID:
                      • API String ID: 1375471231-0
                      • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                      • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                      • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                      • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                      Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
                      • GlobalFree.KERNELBASE(10003020), ref: 10001464
                      Memory Dump Source
                      • Source File: 00000007.00000002.3858416277.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000007.00000002.3846462996.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      • Associated: 00000007.00000002.3869595753.0000000010002000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      • Associated: 00000007.00000002.3889325330.0000000010004000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_10000000_FD47.jbxd
                      Similarity
                      • API ID: FreeGloballstrcpyn
                      • String ID:
                      • API String ID: 1459762280-0
                      • Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                      • Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
                      • Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                      • Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22
                      Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                      • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                      • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                      • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                      Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,004114F7,0040B8F8,00403405,0040B8F8,004114F7,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID:
                      • API String ID: 3934441357-0
                      • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                      • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                      • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                      • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                      Function 0040620E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420530,?,?,0040629C,00420530,?,?,?,00000002,C:\Windows\wininit.ini), ref: 00406232
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                      • Instruction ID: e678259d492eddc69303d735af6c58fa5eb03465f078c5ba6a1a088e01eebb4c
                      • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                      • Instruction Fuzzy Hash: 64D0123244020DBBDF116F90ED01FAB3B1DEB18350F014826FE06A80A1D775D530A725
                      Function 00406161 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040616B
                        • Part of subcall function 00405FF1: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                        • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                        • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                        • Part of subcall function 00405FF1: wsprintfA.USER32 ref: 00406066
                        • Part of subcall function 00405FF1: GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                        • Part of subcall function 00405FF1: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                        • Part of subcall function 00405FF1: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                        • Part of subcall function 00405FF1: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                        • Part of subcall function 00405FF1: GlobalFree.KERNEL32(00000000), ref: 0040614F
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
                      • String ID:
                      • API String ID: 299535525-0
                      • Opcode ID: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                      • Instruction ID: 0556bd0dd0e376f9d1944fcc72f0db357db156cd0d89a75f2f72d3c973fa690a
                      • Opcode Fuzzy Hash: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                      • Instruction Fuzzy Hash: F0D0C731108602FFDB111B10ED0591B7BA5FF90355F11943EF599940B1DB368461DF09
                      Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                      • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                      • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                      • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                      Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                        • Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                        • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                        • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                        • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                        • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                      • String ID:
                      • API String ID: 2972824698-0
                      • Opcode ID: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                      • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                      • Opcode Fuzzy Hash: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                      • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                      Non-executed Functions

                      Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000403), ref: 00405646
                      • GetDlgItem.USER32(?,000003EE), ref: 00405655
                      • GetClientRect.USER32(?,?), ref: 00405692
                      • GetSystemMetrics.USER32(00000002), ref: 00405699
                      • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                      • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                      • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                      • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                      • ShowWindow.USER32(?,00000008), ref: 00405735
                      • GetDlgItem.USER32(?,000003EC), ref: 00405756
                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                      • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                      • GetDlgItem.USER32(?,000003F8), ref: 00405664
                        • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                      • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                      • CloseHandle.KERNEL32(00000000), ref: 004057BC
                      • ShowWindow.USER32(00000000), ref: 004057DF
                      • ShowWindow.USER32(?,00000008), ref: 004057E6
                      • ShowWindow.USER32(00000008), ref: 0040582C
                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                      • CreatePopupMenu.USER32 ref: 00405871
                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                      • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                      • OpenClipboard.USER32(00000000), ref: 0040590B
                      • EmptyClipboard.USER32 ref: 00405911
                      • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                      • GlobalLock.KERNEL32(00000000), ref: 00405924
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                      • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                      • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                      • CloseClipboard.USER32 ref: 00405962
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                      • String ID: PB
                      • API String ID: 590372296-3196168531
                      • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                      • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                      • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                      • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                      Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                      • SetWindowTextA.USER32(00000000,?), ref: 00404910
                      • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                      • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                      • lstrcmpiA.KERNEL32(C:\Windows\wininit.ini,00420D50), ref: 004049FE
                      • lstrcatA.KERNEL32(?,C:\Windows\wininit.ini), ref: 00404A0A
                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                        • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                        • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                        • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                        • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                        • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                      • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                        • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                        • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                        • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                      • String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$PB
                      • API String ID: 2624150263-3088350716
                      • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                      • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                      • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                      • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                      Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                      Strings
                      • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00402238
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                      • API String ID: 123533781-3327167313
                      • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                      • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                      • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                      • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                      Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: FileFindFirst
                      • String ID:
                      • API String ID: 1974802433-0
                      • Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                      • Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
                      • Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                      • Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A
                      Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                      • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                      • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                      • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                      • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                      • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                      • DeleteObject.GDI32(00000110), ref: 00404F0B
                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                      • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                        • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                      • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                      • ShowWindow.USER32(?,00000005), ref: 0040506C
                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                      • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                      • GlobalFree.KERNEL32(?), ref: 0040524A
                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                      • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                      • ShowWindow.USER32(?,00000000), ref: 004053F4
                      • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                      • ShowWindow.USER32(00000000), ref: 00405406
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                      • String ID: $M$N
                      • API String ID: 2564846305-813528018
                      • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                      • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                      • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                      • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                      Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                      • ShowWindow.USER32(?), ref: 00403F67
                      • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                      • ShowWindow.USER32(?,00000004), ref: 00403F92
                      • DestroyWindow.USER32 ref: 00403FA6
                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                      • GetDlgItem.USER32(?,?), ref: 00403FDE
                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                      • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                      • GetDlgItem.USER32(?,00000001), ref: 004040A4
                      • GetDlgItem.USER32(?,00000002), ref: 004040AE
                      • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                      • GetDlgItem.USER32(?,00000003), ref: 004041BF
                      • ShowWindow.USER32(00000000,?), ref: 004041E0
                      • EnableWindow.USER32(?,?), ref: 004041F2
                      • EnableWindow.USER32(?,?), ref: 0040420D
                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                      • EnableMenuItem.USER32(00000000), ref: 0040422A
                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                      • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                      • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                      • ShowWindow.USER32(?,0000000A), ref: 004043C2
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                      • String ID: PB
                      • API String ID: 1860320154-3196168531
                      • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                      • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                      • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                      • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                      Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                      • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                      • GetSysColor.USER32(?), ref: 0040463E
                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                      • lstrlenA.KERNEL32(?), ref: 0040465F
                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                      • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                      • SendMessageA.USER32(00000000), ref: 004046E8
                      • GetDlgItem.USER32(?,000003E8), ref: 00404713
                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                      • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                      • SetCursor.USER32(00000000), ref: 0040476B
                      • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                      • SetCursor.USER32(00000000), ref: 00404784
                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                      • String ID: N$6B
                      • API String ID: 3103080414-649610290
                      • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                      • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                      • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                      • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                      • BeginPaint.USER32(?,?), ref: 00401047
                      • GetClientRect.USER32(?,?), ref: 0040105B
                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                      • DeleteObject.GDI32(?), ref: 004010ED
                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                      • SelectObject.GDI32(00000000,?), ref: 00401140
                      • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                      • DeleteObject.GDI32(?), ref: 00401165
                      • EndPaint.USER32(?,?), ref: 0040116E
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                      • String ID: F
                      • API String ID: 941294808-1304234792
                      • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                      • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                      • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                      • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                      Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                      • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                      • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                      • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                      • String ID: 4/@
                      • API String ID: 2531174081-3101945251
                      • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                      • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                      • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                      • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                      Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                      • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                      • CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                      • CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\FD47.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                      • *?|<>/":, xrefs: 004066AE
                      • C:\Users\user\AppData\Local\Temp\FD47.exe, xrefs: 00406666
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Char$Next$Prev
                      • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\FD47.exe
                      • API String ID: 589700163-3815840707
                      • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                      • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                      • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                      • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                      Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,00000000), ref: 00402ED5
                      • GetTickCount.KERNEL32 ref: 00402EF3
                      • wsprintfA.USER32 ref: 00402F21
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                      • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                        • Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                      • String ID: ... %d%%$#Vh%.@
                      • API String ID: 722711167-1706192003
                      • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                      • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                      • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                      • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                      Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                      • GetSysColor.USER32(00000000), ref: 004044C7
                      • SetTextColor.GDI32(?,00000000), ref: 004044D3
                      • SetBkMode.GDI32(?,?), ref: 004044DF
                      • GetSysColor.USER32(?), ref: 004044F2
                      • SetBkColor.GDI32(?,?), ref: 00404502
                      • DeleteObject.GDI32(?), ref: 0040451C
                      • CreateBrushIndirect.GDI32(?), ref: 00404526
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                      • String ID:
                      • API String ID: 2320649405-0
                      • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                      • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                      • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                      • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                      Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                      • GetMessagePos.USER32 ref: 00404D7B
                      • ScreenToClient.USER32(?,?), ref: 00404D95
                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Message$Send$ClientScreen
                      • String ID: f
                      • API String ID: 41195575-1993550816
                      • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                      • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                      • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                      • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                      Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                      • GetLastError.KERNEL32 ref: 004059C6
                      • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                      • GetLastError.KERNEL32 ref: 004059E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                      • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 3449924974-2369717338
                      • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                      • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                      • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                      • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                      Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                      Download Yara Rule
                      APIs
                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                      • wsprintfA.USER32 ref: 00402E74
                      • SetWindowTextA.USER32(?,?), ref: 00402E84
                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Text$ItemTimerWindowwsprintf
                      • String ID: unpacking data: %d%%$verifying installer: %d%%
                      • API String ID: 1451636040-1158693248
                      • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                      • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                      • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                      • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                      Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                      • GlobalFree.KERNEL32(?), ref: 004028A4
                      • GlobalFree.KERNEL32(00000000), ref: 004028B7
                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                      • String ID:
                      • API String ID: 2667972263-0
                      • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                      • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                      • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                      • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                      Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
                      • EnumWindows.USER32(10001007,?), ref: 10001074
                      • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                      • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                      • CloseHandle.KERNEL32(00000000), ref: 100010C5
                      Memory Dump Source
                      • Source File: 00000007.00000002.3858416277.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000007.00000002.3846462996.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      • Associated: 00000007.00000002.3869595753.0000000010002000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      • Associated: 00000007.00000002.3889325330.0000000010004000.00000002.00000001.01000000.0000000A.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_10000000_FD47.jbxd
                      Similarity
                      • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                      • String ID:
                      • API String ID: 3465249596-0
                      • Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                      • Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
                      • Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                      • Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                      Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                      • wsprintfA.USER32 ref: 00404CF4
                      • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: ItemTextlstrlenwsprintf
                      • String ID: %u.%u%s%s$PB
                      • API String ID: 3540041739-838025833
                      • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                      • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                      • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                      • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                      Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CloseEnum$DeleteValue
                      • String ID:
                      • API String ID: 1354259210-0
                      • Opcode ID: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                      • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                      • Opcode Fuzzy Hash: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                      • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                      Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,?), ref: 00401D7E
                      • GetClientRect.USER32(?,?), ref: 00401DCC
                      • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                      • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                      • DeleteObject.GDI32(00000000), ref: 00401E20
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                      • String ID:
                      • API String ID: 1849352358-0
                      • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                      • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                      • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                      • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                      Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(?), ref: 00401E38
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                      • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                      • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CapsCreateDeviceFontIndirectRelease
                      • String ID:
                      • API String ID: 3808545654-0
                      • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                      • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                      • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                      • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                      Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: MessageSend$Timeout
                      • String ID: !
                      • API String ID: 1777923405-2657877971
                      • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                      • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                      • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                      • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                      Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                      • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CharPrevlstrcatlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\
                      • API String ID: 2659869361-3081826266
                      • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                      • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                      • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                      • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                      Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,C:\Users\user\AppData\Local\Temp\FD47.exe), ref: 00405DC1
                      • CharNextA.USER32(00000000), ref: 00405DC6
                      • CharNextA.USER32(00000000), ref: 00405DDA
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CharNext
                      • String ID: C:\
                      • API String ID: 3213498283-3404278061
                      • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                      • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                      • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                      • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                      Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 0040544C
                      • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                        • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: Window$CallMessageProcSendVisible
                      • String ID:
                      • API String ID: 3748168415-3916222277
                      • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                      • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                      • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                      • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                      Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Windows\wininit.ini,00420530,?,?,?,00000002,C:\Windows\wininit.ini,?,00406527,80000002), ref: 004062B5
                      • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Windows\wininit.ini,C:\Windows\wininit.ini,C:\Windows\wininit.ini,?,00420530), ref: 004062C0
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CloseQueryValue
                      • String ID: C:\Windows\wininit.ini
                      • API String ID: 3356406503-2725141966
                      • Opcode ID: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                      • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                      • Opcode Fuzzy Hash: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                      • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                      Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\FD47.exe,C:\Users\user\AppData\Local\Temp\FD47.exe,80000000,00000003), ref: 00405D67
                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\FD47.exe,C:\Users\user\AppData\Local\Temp\FD47.exe,80000000,00000003), ref: 00405D75
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: CharPrevlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 2709904686-47812868
                      • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                      • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                      • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                      • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                      Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                      • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                      • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                      Memory Dump Source
                      • Source File: 00000007.00000002.3392640187.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000007.00000002.3392605209.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392672177.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000436000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000439000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000446000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000454000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.000000000045B000.00000002.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000007.00000002.3425613931.0000000000462000.00000002.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_400000_FD47.jbxd
                      Similarity
                      • API ID: lstrlen$CharNextlstrcmpi
                      • String ID:
                      • API String ID: 190613189-0
                      • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                      • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                      • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                      • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                      Execution Graph

                      Execution Coverage:1.2%
                      Dynamic/Decrypted Code Coverage:20.2%
                      Signature Coverage:1.5%
                      Total number of Nodes:1542
                      Total number of Limit Nodes:93
                      execution_graph 145692 a33052 145693 a33061 145692->145693 145694 a3306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 145693->145694 145695 a330ce 145693->145695 145694->145695 145696 3cd21f5 InitializeCriticalSectionAndSpinCount 145694->145696 145697 3cd2219 CreateMutexA 145696->145697 145698 3cd2214 145696->145698 145699 3cd2678 ExitProcess 145697->145699 145700 3cd2235 GetLastError 145697->145700 145700->145699 145701 3cd2246 145700->145701 145774 3cd3bd2 145701->145774 145703 3cd264f DeleteCriticalSection 145703->145699 145704 3cd2251 145704->145703 145778 3cd47e6 145704->145778 145707 3cd2647 145709 3cd3536 2 API calls 145707->145709 145709->145703 145714 3cd22e0 145801 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145714->145801 145716 3cd22ef 145802 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145716->145802 145718 3cd25df 145858 3cd3d76 EnterCriticalSection 145718->145858 145720 3cd22fe 145720->145718 145803 3cd46d4 GetModuleHandleA 145720->145803 145721 3cd25f8 145871 3cd3536 145721->145871 145724 3cd2360 145724->145718 145806 3cd1f2d GetUserDefaultUILanguage 145724->145806 145726 3cd3536 2 API calls 145728 3cd2610 145726->145728 145730 3cd3536 2 API calls 145728->145730 145732 3cd261b 145730->145732 145731 3cd23b4 145731->145698 145735 3cd23dd ExitProcess 145731->145735 145738 3cd23e5 145731->145738 145734 3cd3536 2 API calls 145732->145734 145733 3cd46d4 2 API calls 145733->145731 145736 3cd2626 145734->145736 145736->145707 145874 3cd536d 145736->145874 145739 3cd2412 ExitProcess 145738->145739 145740 3cd241a 145738->145740 145741 3cd244f 145740->145741 145742 3cd2447 ExitProcess 145740->145742 145817 3cd4ba2 145741->145817 145750 3cd251f 145752 3cd35db 11 API calls 145750->145752 145751 3cd2532 145881 3cd5239 145751->145881 145752->145751 145754 3cd2543 145755 3cd5239 4 API calls 145754->145755 145756 3cd2551 145755->145756 145757 3cd5239 4 API calls 145756->145757 145758 3cd2561 145757->145758 145759 3cd5239 4 API calls 145758->145759 145760 3cd2570 145759->145760 145761 3cd5239 4 API calls 145760->145761 145762 3cd2580 145761->145762 145763 3cd5239 4 API calls 145762->145763 145764 3cd258f 145763->145764 145885 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145764->145885 145766 3cd2599 145767 3cd25b2 145766->145767 145768 3cd25a2 GetModuleFileNameW 145766->145768 145769 3cd5239 4 API calls 145767->145769 145768->145767 145770 3cd25cc 145769->145770 145771 3cd5239 4 API calls 145770->145771 145772 3cd25d7 145771->145772 145773 3cd3536 2 API calls 145772->145773 145773->145718 145775 3cd3bda 145774->145775 145886 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145775->145886 145777 3cd3be5 145777->145704 145779 3cd46d4 2 API calls 145778->145779 145780 3cd4812 145779->145780 145781 3cd2283 145780->145781 145782 3cd5239 4 API calls 145780->145782 145781->145707 145787 3cd35db 145781->145787 145783 3cd4828 145782->145783 145784 3cd5239 4 API calls 145783->145784 145785 3cd4833 145784->145785 145786 3cd5239 4 API calls 145785->145786 145786->145781 145887 3cd2c08 145787->145887 145790 3cd484b 145791 3cd4860 VirtualAlloc 145790->145791 145794 3cd22c4 145790->145794 145792 3cd487f 145791->145792 145791->145794 145793 3cd46d4 2 API calls 145792->145793 145795 3cd48a1 145793->145795 145794->145707 145800 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145794->145800 145795->145794 145796 3cd48d0 GetCurrentProcess IsWow64Process 145795->145796 145798 3cd5239 4 API calls 145796->145798 145799 3cd48fa 145798->145799 145799->145794 145800->145714 145801->145716 145802->145720 145804 3cd46f2 LoadLibraryA 145803->145804 145805 3cd46ff 145803->145805 145804->145805 145805->145724 145807 3cd1fa0 145806->145807 145808 3cd35db 11 API calls 145807->145808 145809 3cd1fd8 145808->145809 145810 3cd35db 11 API calls 145809->145810 145811 3cd1fe7 GetKeyboardLayoutList 145810->145811 145812 3cd2042 145811->145812 145816 3cd2001 145811->145816 145813 3cd35db 11 API calls 145812->145813 145814 3cd204e 145813->145814 145814->145731 145814->145733 145815 3cd35db 11 API calls 145815->145816 145816->145812 145816->145815 145818 3cd4bb8 145817->145818 145824 3cd2468 CreateThread CreateThread WaitForMultipleObjects 145817->145824 145819 3cd46d4 2 API calls 145818->145819 145820 3cd4be9 145819->145820 145821 3cd46d4 2 API calls 145820->145821 145820->145824 145822 3cd4bfe 145821->145822 145823 3cd4c06 GetSystemMetrics GetSystemMetrics 145822->145823 145822->145824 145826 3cd4c2b 145823->145826 145835 3cd19df 145824->145835 146043 3cd1d3c 145824->146043 146057 3cd519f 145824->146057 145825 3cd4e17 ReleaseDC 145825->145824 145826->145824 145826->145825 145827 3cd35db 11 API calls 145826->145827 145829 3cd4caf 145827->145829 145828 3cd4e09 145828->145825 145829->145825 145829->145828 145902 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145829->145902 145831 3cd4d85 145831->145828 145832 3cd3d76 10 API calls 145831->145832 145833 3cd4dfe 145832->145833 145834 3cd3536 2 API calls 145833->145834 145834->145828 145836 3cd1a26 145835->145836 145837 3cd19ed 145835->145837 145841 3cd2054 145836->145841 145839 3cd1a09 145837->145839 145903 3cd1000 145837->145903 145839->145836 145840 3cd1000 48 API calls 145839->145840 145840->145836 146038 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145841->146038 145843 3cd2103 GetCurrentHwProfileA 145844 3cd212d GetSystemInfo 145843->145844 145845 3cd2117 145843->145845 145847 3cd35db 11 API calls 145844->145847 145846 3cd35db 11 API calls 145845->145846 145849 3cd212a 145846->145849 145850 3cd214f 145847->145850 145848 3cd2079 145848->145843 145849->145844 145851 3cd3536 2 API calls 145850->145851 145852 3cd2159 GlobalMemoryStatusEx 145851->145852 145853 3cd35db 11 API calls 145852->145853 145856 3cd2188 145853->145856 145854 3cd21db EnumDisplayDevicesA 145855 3cd21ee ObtainUserAgentString 145854->145855 145854->145856 145855->145750 145855->145751 145856->145854 145857 3cd35db 11 API calls 145856->145857 145857->145856 145859 3cd3d98 145858->145859 145860 3cd3ea4 LeaveCriticalSection 145858->145860 145859->145860 146039 3cd3d1c 6 API calls 145859->146039 145860->145721 145862 3cd3dc1 145862->145860 146040 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145862->146040 145864 3cd3dec 146041 3cd6c7f EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145864->146041 145866 3cd3df6 145867 3cd3536 2 API calls 145866->145867 145868 3cd3e4f 145867->145868 145869 3cd3536 2 API calls 145868->145869 145870 3cd3e9f 145869->145870 145870->145860 145872 3cd2605 145871->145872 145873 3cd353a GetProcessHeap HeapFree 145871->145873 145872->145726 145873->145872 145875 3cd46d4 2 API calls 145874->145875 145877 3cd53f0 145875->145877 145876 3cd53f8 145876->145736 145877->145876 145878 3cd5517 Sleep 145877->145878 145879 3cd5506 145877->145879 145878->145877 145880 3cd3536 2 API calls 145879->145880 145880->145876 145882 3cd525c 145881->145882 145883 3cd5288 145881->145883 145882->145883 146042 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145882->146042 145883->145754 145885->145766 145886->145777 145888 3cd2c18 145887->145888 145896 3cd2c26 145887->145896 145899 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145888->145899 145890 3cd2c76 145891 3cd22a9 145890->145891 145901 3cd51f6 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145890->145901 145891->145790 145893 3cd3036 145894 3cd3536 2 API calls 145893->145894 145894->145891 145896->145890 145897 3cd2e29 WideCharToMultiByte 145896->145897 145898 3cd2eb1 WideCharToMultiByte 145896->145898 145900 3cd2991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145896->145900 145897->145896 145898->145896 145899->145896 145900->145896 145901->145893 145902->145831 145904 3cd101e 145903->145904 145905 3cd1412 145903->145905 145904->145905 145934 3cd407d GetFileAttributesW 145904->145934 145905->145839 145907 3cd1035 145907->145905 145935 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145907->145935 145909 3cd1049 145936 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145909->145936 145911 3cd1052 145916 3cd13d5 145911->145916 145937 3cd3600 145911->145937 145912 3cd3536 2 API calls 145914 3cd140b 145912->145914 145915 3cd3536 2 API calls 145914->145915 145915->145905 145916->145912 145917 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145931 3cd1156 145917->145931 145918 3cd3600 7 API calls 145918->145931 145919 3cd3eb6 41 API calls 145919->145931 145924 3cd40ba 13 API calls 145924->145931 145925 3cd1662 EnterCriticalSection 145992 3cd4e27 145925->145992 145929 3cd3d76 10 API calls 145929->145931 145930 3cd3536 GetProcessHeap HeapFree 145930->145931 145931->145916 145931->145917 145931->145918 145931->145919 145931->145924 145931->145925 145931->145929 145931->145930 145932 3cd1000 46 API calls 145931->145932 145933 3cd3efc 41 API calls 145931->145933 145940 3cd446c 145931->145940 145972 3cd369c 145931->145972 145976 3cd1a62 145931->145976 145984 3cd1c94 145931->145984 145989 3cd1ba5 145931->145989 145932->145931 145933->145931 145934->145907 145935->145909 145936->145911 146016 3cd3084 145937->146016 146025 3cd407d GetFileAttributesW 145940->146025 145942 3cd447e 145943 3cd46cd 145942->145943 146026 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145942->146026 145943->145931 145945 3cd4494 145946 3cd46c5 145945->145946 145948 3cd3600 7 API calls 145945->145948 145947 3cd3536 2 API calls 145946->145947 145947->145943 145949 3cd44b1 145948->145949 145950 3cd44cf EnterCriticalSection 145949->145950 145951 3cd4539 LeaveCriticalSection 145950->145951 145952 3cd459b 145951->145952 145953 3cd4552 145951->145953 145952->145946 145954 3cd45be EnterCriticalSection 145952->145954 145953->145952 145955 3cd456f 145953->145955 145957 3cd45f5 LeaveCriticalSection 145954->145957 146028 3cd42ec 21 API calls 145955->146028 145959 3cd460d 145957->145959 145960 3cd4691 EnterCriticalSection 145957->145960 145958 3cd4574 145958->145952 145961 3cd4578 145958->145961 146027 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145959->146027 145964 3cd46ba LeaveCriticalSection 145960->145964 145963 3cd3536 2 API calls 145961->145963 145966 3cd4580 145963->145966 145964->145946 145965 3cd4617 145965->145960 145969 3cd4634 EnterCriticalSection 145965->145969 145967 3cd446c 29 API calls 145966->145967 145968 3cd4594 145967->145968 145968->145943 145970 3cd4675 LeaveCriticalSection 145969->145970 145970->145960 145971 3cd4689 145970->145971 145971->145960 145973 3cd36b0 145972->145973 145975 3cd36b4 145973->145975 146029 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145973->146029 145975->145931 145977 3cd1a7f 145976->145977 145978 3cd1a7a 145976->145978 145981 3cd1a84 145977->145981 146031 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145977->146031 146030 3cd1a2d EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145978->146030 145981->145931 145983 3cd1ab3 145983->145981 146032 3cd1a4f GetProcessHeap HeapFree 145983->146032 145985 3cd46d4 2 API calls 145984->145985 145987 3cd1ccd 145985->145987 145986 3cd1cfa 145986->145931 145987->145986 145988 3cd1d0c CryptProtectData 145987->145988 145988->145986 146033 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145989->146033 145991 3cd1bcb 145991->145931 145993 3cd4e49 145992->145993 145994 3cd4e8a 145992->145994 145995 3cd3600 7 API calls 145993->145995 146002 3cd167e LeaveCriticalSection 145994->146002 146034 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145994->146034 145997 3cd4e80 145995->145997 146036 3cd407d GetFileAttributesW 145997->146036 145998 3cd4eaa 146035 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 145998->146035 146001 3cd4eb4 146003 3cd3600 7 API calls 146001->146003 146002->145931 146004 3cd4ec2 146003->146004 146005 3cd5183 146004->146005 146009 3cd3eb6 41 API calls 146004->146009 146010 3cd3600 7 API calls 146004->146010 146011 3cd4f84 EnterCriticalSection 146004->146011 146015 3cd4e27 41 API calls 146004->146015 146037 3cd407d GetFileAttributesW 146004->146037 146006 3cd3536 2 API calls 146005->146006 146007 3cd518a 146006->146007 146008 3cd3536 2 API calls 146007->146008 146008->146002 146009->146004 146010->146004 146013 3cd4e27 41 API calls 146011->146013 146014 3cd4f9f LeaveCriticalSection 146013->146014 146014->146004 146015->146004 146022 3cd3090 146016->146022 146017 3cd34c2 146017->145931 146019 3cd329d IsDBCSLeadByte 146020 3cd32aa MultiByteToWideChar 146019->146020 146019->146022 146020->146022 146021 3cd3308 IsDBCSLeadByte 146021->146022 146022->146017 146022->146019 146022->146021 146023 3cd3329 MultiByteToWideChar 146022->146023 146024 3cd2991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 146022->146024 146023->146022 146024->146022 146025->145942 146026->145945 146027->145965 146028->145958 146029->145975 146030->145977 146031->145983 146032->145981 146033->145991 146034->145998 146035->146001 146036->145994 146037->146004 146038->145848 146039->145862 146040->145864 146041->145866 146042->145882 146044 3cd1f25 146043->146044 146045 3cd1d54 146043->146045 146045->146044 146046 3cd3600 7 API calls 146045->146046 146047 3cd1d75 146046->146047 146047->146044 146065 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 146047->146065 146049 3cd1f1c 146050 3cd3536 2 API calls 146049->146050 146050->146044 146052 3cd3536 2 API calls 146055 3cd1d9e 146052->146055 146053 3cd1d3c 41 API calls 146053->146055 146054 3cd3600 7 API calls 146054->146055 146055->146049 146055->146052 146055->146053 146055->146054 146066 3cd408d 146055->146066 146071 3cd3eb6 146055->146071 146058 3cd51ad 146057->146058 146059 3cd51ee 146057->146059 146079 3cd3508 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 146058->146079 146061 3cd51b7 146062 3cd4e27 43 API calls 146061->146062 146063 3cd51e7 146061->146063 146062->146061 146064 3cd3536 2 API calls 146063->146064 146064->146059 146065->146055 146067 3cd4095 146066->146067 146068 3cd40a7 146067->146068 146078 3cd3657 EnterCriticalSection GetProcessHeap HeapAlloc LeaveCriticalSection 146067->146078 146068->146055 146070 3cd40b7 146070->146055 146072 3cd446c 37 API calls 146071->146072 146073 3cd3ecc 146072->146073 146074 3cd3eeb 146073->146074 146077 3cd3d76 10 API calls 146073->146077 146075 3cd3536 2 API calls 146074->146075 146076 3cd3ef4 146075->146076 146076->146055 146077->146074 146078->146070 146079->146061 146080 a7fca5 146084 a7fcb9 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 146080->146084 146081 a7fcbf 146084->146081 146087 a7fd40 146084->146087 146111 a8762e 39 API calls 4 library calls 146084->146111 146102 a805aa 146087->146102 146088 a7fd4e 146089 a7fd5b 146088->146089 146112 a805e0 GetModuleHandleW 146089->146112 146091 a7fd62 146092 a7fd66 146091->146092 146093 a7fdd0 146091->146093 146094 a7fd6f 146092->146094 146113 a8816c 21 API calls std::locale::_Setgloballocale 146092->146113 146115 a881b7 21 API calls std::locale::_Setgloballocale 146093->146115 146114 a7ffd0 75 API calls ___scrt_uninitialize_crt 146094->146114 146098 a7fdd6 146116 a8817b 21 API calls std::locale::_Setgloballocale 146098->146116 146099 a7fd77 146099->146081 146101 a7fdde 146117 a80e90 146102->146117 146104 a805bd GetStartupInfoW 146105 a7fd46 146104->146105 146106 a87e0a 146105->146106 146118 a92f03 146106->146118 146108 a87e4d 146108->146088 146109 a87e13 146109->146108 146124 a931b6 39 API calls 146109->146124 146111->146087 146112->146091 146113->146094 146114->146099 146115->146098 146116->146101 146117->146104 146119 a92f3e 146118->146119 146120 a92f0c 146118->146120 146119->146109 146125 a8a9ab 146120->146125 146124->146109 146126 a8a9bc 146125->146126 146127 a8a9b6 146125->146127 146131 a8a9c2 146126->146131 146177 a8e054 6 API calls std::_Lockit::_Lockit 146126->146177 146176 a8e015 6 API calls std::_Lockit::_Lockit 146127->146176 146130 a8a9d6 146130->146131 146132 a8a9da 146130->146132 146134 a8a9c7 146131->146134 146185 a87134 39 API calls std::locale::_Setgloballocale 146131->146185 146178 a8db5d 14 API calls 2 library calls 146132->146178 146153 a92d0e 146134->146153 146137 a8a9e6 146138 a8a9ee 146137->146138 146139 a8aa03 146137->146139 146179 a8e054 6 API calls std::_Lockit::_Lockit 146138->146179 146181 a8e054 6 API calls std::_Lockit::_Lockit 146139->146181 146142 a8aa0f 146143 a8aa22 146142->146143 146144 a8aa13 146142->146144 146183 a8a71e 14 API calls __dosmaperr 146143->146183 146182 a8e054 6 API calls std::_Lockit::_Lockit 146144->146182 146148 a8aa00 146148->146131 146149 a8a9fa 146180 a8abdb 14 API calls __dosmaperr 146149->146180 146150 a8aa2d 146184 a8abdb 14 API calls __dosmaperr 146150->146184 146152 a8aa34 146152->146134 146186 a92e63 146153->146186 146158 a92d51 146158->146119 146161 a92d78 146211 a92f61 146161->146211 146162 a92d6a 146222 a8abdb 14 API calls __dosmaperr 146162->146222 146166 a92db0 146223 a853de 14 API calls __dosmaperr 146166->146223 146168 a92db5 146224 a8abdb 14 API calls __dosmaperr 146168->146224 146169 a92df7 146172 a92e40 146169->146172 146226 a92987 39 API calls 2 library calls 146169->146226 146171 a92dcb 146171->146169 146225 a8abdb 14 API calls __dosmaperr 146171->146225 146227 a8abdb 14 API calls __dosmaperr 146172->146227 146176->146126 146177->146130 146178->146137 146179->146149 146180->146148 146181->146142 146182->146149 146183->146150 146184->146152 146187 a92e6f __FrameHandler3::FrameUnwindToState 146186->146187 146188 a92e89 146187->146188 146228 a849ca EnterCriticalSection 146187->146228 146190 a92d38 146188->146190 146231 a87134 39 API calls std::locale::_Setgloballocale 146188->146231 146197 a92a95 146190->146197 146191 a92ec5 146230 a92ee2 LeaveCriticalSection std::_Lockit::~_Lockit 146191->146230 146195 a92e99 146195->146191 146229 a8abdb 14 API calls __dosmaperr 146195->146229 146232 a87178 146197->146232 146199 a92aa7 146200 a92ac8 146199->146200 146201 a92ab6 GetOEMCP 146199->146201 146202 a92adf 146200->146202 146203 a92acd GetACP 146200->146203 146201->146202 146202->146158 146204 a8ac15 146202->146204 146203->146202 146205 a8ac53 146204->146205 146209 a8ac23 __dosmaperr 146204->146209 146243 a853de 14 API calls __dosmaperr 146205->146243 146206 a8ac3e HeapAlloc 146208 a8ac51 146206->146208 146206->146209 146208->146161 146208->146162 146209->146205 146209->146206 146242 a87694 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 146209->146242 146212 a92a95 41 API calls 146211->146212 146213 a92f81 146212->146213 146214 a93086 146213->146214 146215 a92fbe IsValidCodePage 146213->146215 146221 a92fd9 codecvt 146213->146221 146255 a8003d 146214->146255 146215->146214 146218 a92fd0 146215->146218 146217 a92da5 146217->146166 146217->146171 146219 a92ff9 GetCPInfo 146218->146219 146218->146221 146219->146214 146219->146221 146244 a92b69 146221->146244 146222->146158 146223->146168 146224->146158 146225->146169 146226->146172 146227->146158 146228->146195 146229->146191 146230->146188 146233 a87196 146232->146233 146239 a8a8f0 39 API calls 3 library calls 146233->146239 146235 a871b7 146240 a8ac63 39 API calls __Getctype 146235->146240 146237 a871cd 146241 a8acc1 39 API calls ctype 146237->146241 146239->146235 146240->146237 146242->146209 146243->146208 146245 a92b91 GetCPInfo 146244->146245 146246 a92c5a 146244->146246 146245->146246 146247 a92ba9 146245->146247 146249 a8003d __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 146246->146249 146262 a8ece1 146247->146262 146251 a92d0c 146249->146251 146251->146214 146254 a8efd1 43 API calls 146254->146246 146256 a80045 146255->146256 146257 a80046 IsProcessorFeaturePresent 146255->146257 146256->146217 146259 a8072d 146257->146259 146337 a806f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 146259->146337 146261 a80810 146261->146217 146263 a87178 ctype 39 API calls 146262->146263 146264 a8ed01 146263->146264 146282 a91e03 146264->146282 146266 a8edbd 146268 a8003d __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 146266->146268 146267 a8edb5 146285 a7faaa 14 API calls ___std_exception_copy 146267->146285 146271 a8ede0 146268->146271 146269 a8ed2e 146269->146266 146269->146267 146270 a8ac15 std::_Locinfo::_Locinfo_ctor 15 API calls 146269->146270 146273 a8ed53 ctype codecvt 146269->146273 146270->146273 146277 a8efd1 146271->146277 146273->146267 146274 a91e03 ctype MultiByteToWideChar 146273->146274 146275 a8ed9c 146274->146275 146275->146267 146276 a8eda3 GetStringTypeW 146275->146276 146276->146267 146278 a87178 ctype 39 API calls 146277->146278 146279 a8efe4 146278->146279 146288 a8ede2 146279->146288 146286 a91d6b 146282->146286 146285->146266 146287 a91d7c MultiByteToWideChar 146286->146287 146287->146269 146289 a8edfd ctype 146288->146289 146290 a91e03 ctype MultiByteToWideChar 146289->146290 146295 a8ee41 146290->146295 146291 a8efbc 146292 a8003d __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 146291->146292 146294 a8efcf 146292->146294 146293 a8ef0f 146325 a7faaa 14 API calls ___std_exception_copy 146293->146325 146294->146254 146295->146291 146295->146293 146296 a8ac15 std::_Locinfo::_Locinfo_ctor 15 API calls 146295->146296 146298 a8ee67 ctype 146295->146298 146296->146298 146298->146293 146299 a91e03 ctype MultiByteToWideChar 146298->146299 146300 a8eeb0 146299->146300 146300->146293 146316 a8e1d3 146300->146316 146303 a8ef1e 146305 a8efa7 146303->146305 146307 a8ac15 std::_Locinfo::_Locinfo_ctor 15 API calls 146303->146307 146309 a8ef30 ctype 146303->146309 146304 a8eee6 146304->146293 146306 a8e1d3 std::_Locinfo::_Locinfo_ctor 6 API calls 146304->146306 146324 a7faaa 14 API calls ___std_exception_copy 146305->146324 146306->146293 146307->146309 146309->146305 146310 a8e1d3 std::_Locinfo::_Locinfo_ctor 6 API calls 146309->146310 146311 a8ef73 146310->146311 146311->146305 146322 a91ebd WideCharToMultiByte _Fputc 146311->146322 146313 a8ef8d 146313->146305 146314 a8ef96 146313->146314 146323 a7faaa 14 API calls ___std_exception_copy 146314->146323 146326 a8dd60 146316->146326 146320 a8e1e4 146320->146293 146320->146303 146320->146304 146321 a8e224 LCMapStringW 146321->146320 146322->146313 146323->146293 146324->146293 146325->146291 146330 a8de5f 146326->146330 146329 a8e230 5 API calls std::_Locinfo::_Locinfo_ctor 146329->146321 146331 a8dd76 146330->146331 146332 a8de8f 146330->146332 146331->146320 146331->146329 146332->146331 146333 a8dd94 std::_Lockit::_Lockit LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 146332->146333 146334 a8dea3 146333->146334 146334->146331 146335 a8dea9 GetProcAddress 146334->146335 146335->146331 146336 a8deb9 std::_Lockit::_Lockit 146335->146336 146336->146331 146337->146261 146338 a2f3c4 146339 a2f3cd 146338->146339 146340 a2f698 std::runtime_error::runtime_error _strlen 146339->146340 146343 a2f5c9 146339->146343 146363 a21d90 15 API calls 146339->146363 146364 a21de0 20 API calls 146339->146364 146341 a2f734 FreeLibrary 146340->146341 146349 a2f782 146340->146349 146351 a2f75f 146341->146351 146344 a2f6a0 146343->146344 146345 a2f676 146343->146345 146366 a84870 15 API calls 146344->146366 146365 a84870 15 API calls 146345->146365 146352 a2f7bb FreeLibrary 146349->146352 146359 a34c60 146349->146359 146367 a24120 39 API calls task 146351->146367 146357 a2f82a std::ios_base::failure::failure 146352->146357 146355 a2f77a 146368 a24120 39 API calls task 146357->146368 146360 a34ccd 146359->146360 146362 a34c80 std::ios_base::failure::failure task Concurrency::task_continuation_context::task_continuation_context 146359->146362 146360->146362 146369 a219b0 146360->146369 146362->146349 146363->146339 146364->146339 146365->146340 146366->146340 146367->146355 146368->146355 146370 a219d0 Concurrency::task_continuation_context::task_continuation_context 146369->146370 146372 a219dd task Concurrency::task_continuation_context::task_continuation_context 146370->146372 146380 a33fc0 41 API calls std::_Xinvalid_argument 146370->146380 146377 a213d0 146372->146377 146374 a21a16 std::ios_base::failure::failure task 146375 a21a89 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 146374->146375 146381 a33410 39 API calls allocator 146374->146381 146375->146362 146382 a213b0 146377->146382 146379 a213f0 std::ios_base::failure::failure allocator Concurrency::task_continuation_context::task_continuation_context 146379->146374 146380->146372 146381->146375 146385 a34bc0 146382->146385 146386 a34bd0 allocator 146385->146386 146389 a21370 146386->146389 146390 a21378 allocator 146389->146390 146391 a21388 146390->146391 146392 a21396 146390->146392 146396 a21460 146391->146396 146394 a21391 146392->146394 146404 a33220 146392->146404 146394->146379 146397 a21477 146396->146397 146398 a2147c 146396->146398 146407 a33d80 RaiseException stdext::threads::lock_error::lock_error CallUnexpected 146397->146407 146400 a33220 allocator 16 API calls 146398->146400 146403 a21485 146400->146403 146402 a214a0 146402->146394 146403->146402 146408 a8458f 39 API calls 2 library calls 146403->146408 146409 a7fb05 146404->146409 146407->146398 146412 a7fb0a 146409->146412 146411 a3322c 146411->146394 146412->146411 146415 a7fb26 std::_Facet_Register 146412->146415 146419 a84a40 146412->146419 146426 a87694 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 146412->146426 146414 a80371 stdext::threads::lock_error::lock_error 146428 a8106c RaiseException 146414->146428 146415->146414 146427 a8106c RaiseException 146415->146427 146418 a8038e 146424 a8ac15 __dosmaperr 146419->146424 146420 a8ac53 146430 a853de 14 API calls __dosmaperr 146420->146430 146421 a8ac3e HeapAlloc 146423 a8ac51 146421->146423 146421->146424 146423->146412 146424->146420 146424->146421 146429 a87694 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 146424->146429 146426->146412 146427->146414 146428->146418 146429->146424 146430->146423 146431 a7c900 146438 a23200 146431->146438 146433 a7c937 std::runtime_error::runtime_error 146434 a7c9a0 146433->146434 146442 a7c8c0 146433->146442 146445 a24120 39 API calls task 146434->146445 146436 a7c9fb 146439 a23231 std::ios_base::failure::failure 146438->146439 146446 a214f0 146439->146446 146441 a2325a 146441->146433 146453 a7ca80 146442->146453 146444 a7c8d4 146444->146433 146445->146436 146447 a21507 Concurrency::task_continuation_context::task_continuation_context 146446->146447 146449 a21511 std::ios_base::failure::failure task Concurrency::task_continuation_context::task_continuation_context 146447->146449 146452 a33fc0 41 API calls std::_Xinvalid_argument 146447->146452 146450 a213d0 Concurrency::task_continuation_context::task_continuation_context 41 API calls 146449->146450 146451 a21539 std::ios_base::failure::failure task Concurrency::task_continuation_context::task_continuation_context 146449->146451 146450->146451 146451->146441 146452->146449 146454 a7cae4 146453->146454 146456 a7ca9d task Concurrency::task_continuation_context::task_continuation_context 146453->146456 146457 a7c700 146454->146457 146456->146444 146458 a7c720 Concurrency::task_continuation_context::task_continuation_context 146457->146458 146460 a7c72d task Concurrency::task_continuation_context::task_continuation_context 146458->146460 146465 a33fc0 41 API calls std::_Xinvalid_argument 146458->146465 146461 a213d0 Concurrency::task_continuation_context::task_continuation_context 41 API calls 146460->146461 146462 a7c766 std::ios_base::failure::failure task Concurrency::task_continuation_context::task_continuation_context 146461->146462 146464 a7c7d6 Concurrency::task_continuation_context::task_continuation_context 146462->146464 146466 a33410 39 API calls allocator 146462->146466 146464->146456 146465->146460 146466->146464 146467 a7fe5f 146468 a7fe68 146467->146468 146475 a8013c IsProcessorFeaturePresent 146468->146475 146470 a7fe74 146476 a82f0e 10 API calls 2 library calls 146470->146476 146472 a7fe79 146474 a7fe7d 146472->146474 146477 a82f2d 7 API calls 2 library calls 146472->146477 146475->146470 146476->146472 146477->146474 146478 a314b9 146479 a314c2 146478->146479 146482 a316a9 146479->146482 146488 a31779 146479->146488 146591 a21d90 15 API calls 146479->146591 146592 a21de0 20 API calls 146479->146592 146483 a31781 146482->146483 146484 a31757 146482->146484 146594 a84870 15 API calls 146483->146594 146593 a84870 15 API calls 146484->146593 146556 a33fe0 146488->146556 146490 a319ac 146491 a31a84 146490->146491 146492 a31a5a 146490->146492 146598 a84870 15 API calls 146491->146598 146597 a84870 15 API calls 146492->146597 146493 a31cbf 146498 a31d97 146493->146498 146499 a31d6d 146493->146499 146602 a84870 15 API calls 146498->146602 146601 a84870 15 API calls 146499->146601 146501 a317b3 146501->146490 146512 a31a7c 146501->146512 146595 a21d90 15 API calls 146501->146595 146596 a21de0 20 API calls 146501->146596 146504 a31fd2 146506 a32080 146504->146506 146507 a320aa 146504->146507 146605 a84870 15 API calls 146506->146605 146606 a84870 15 API calls 146507->146606 146509 a322ed 146514 a323c4 146509->146514 146515 a3239a 146509->146515 146512->146493 146517 a31d8f 146512->146517 146599 a21d90 15 API calls 146512->146599 146600 a21de0 20 API calls 146512->146600 146610 a84870 15 API calls 146514->146610 146609 a84870 15 API calls 146515->146609 146517->146504 146529 a320a2 146517->146529 146603 a21d90 15 API calls 146517->146603 146604 a21de0 20 API calls 146517->146604 146520 a325ff 146522 a326d6 146520->146522 146523 a326ac 146520->146523 146614 a84870 15 API calls 146522->146614 146613 a84870 15 API calls 146523->146613 146526 a32911 146531 a329e8 146526->146531 146532 a329be 146526->146532 146529->146509 146533 a323bc 146529->146533 146607 a21d90 15 API calls 146529->146607 146608 a21de0 20 API calls 146529->146608 146530 a33011 146537 a3306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 146530->146537 146538 a330ce 146530->146538 146618 a84870 15 API calls 146531->146618 146617 a84870 15 API calls 146532->146617 146533->146520 146539 a326ce 146533->146539 146611 a21d90 15 API calls 146533->146611 146612 a21de0 20 API calls 146533->146612 146537->146538 146643 3cd21f5 76 API calls 146537->146643 146539->146526 146552 a329e0 146539->146552 146615 a21d90 15 API calls 146539->146615 146616 a21de0 20 API calls 146539->146616 146541 a32cd3 146621 a84870 15 API calls 146541->146621 146542 a32cfd 146622 a84870 15 API calls 146542->146622 146543 a32c26 146543->146541 146543->146542 146547 a32f42 146549 a33019 146547->146549 146550 a32fef 146547->146550 146626 a84870 15 API calls 146549->146626 146625 a84870 15 API calls 146550->146625 146552->146543 146555 a32cf5 146552->146555 146619 a21d90 15 API calls 146552->146619 146620 a21de0 20 API calls 146552->146620 146555->146530 146555->146547 146623 a21d90 15 API calls 146555->146623 146624 a21de0 20 API calls 146555->146624 146571 a3400f 146556->146571 146558 a34bae 146558->146501 146559 a34274 146632 a84870 15 API calls 146559->146632 146560 a3424a 146631 a84870 15 API calls 146560->146631 146561 a341c0 146561->146559 146561->146560 146565 a34473 146567 a34527 146565->146567 146568 a344fd 146565->146568 146636 a84870 15 API calls 146567->146636 146635 a84870 15 API calls 146568->146635 146571->146561 146574 a3426c 146571->146574 146629 a21d90 15 API calls 146571->146629 146630 a21de0 20 API calls 146571->146630 146574->146565 146584 a3451f 146574->146584 146633 a21d90 15 API calls 146574->146633 146634 a21de0 20 API calls 146574->146634 146575 a347a1 146639 a84870 15 API calls 146575->146639 146576 a347cb 146640 a84870 15 API calls 146576->146640 146577 a34717 146577->146575 146577->146576 146582 a349bb 146582->146558 146585 a34a6d GetModuleHandleA GetProcAddress 146582->146585 146584->146577 146586 a347c3 146584->146586 146637 a21d90 15 API calls 146584->146637 146638 a21de0 20 API calls 146584->146638 146587 a34a9f ctype 146585->146587 146586->146582 146641 a21d90 15 API calls 146586->146641 146642 a21de0 20 API calls 146586->146642 146588 a34b3a VirtualProtect VirtualProtect 146587->146588 146627 a80910 146588->146627 146591->146479 146592->146479 146593->146488 146594->146488 146595->146501 146596->146501 146597->146512 146598->146512 146599->146512 146600->146512 146601->146517 146602->146517 146603->146517 146604->146517 146605->146529 146606->146529 146607->146529 146608->146529 146609->146533 146610->146533 146611->146533 146612->146533 146613->146539 146614->146539 146615->146539 146616->146539 146617->146552 146618->146552 146619->146552 146620->146552 146621->146555 146622->146555 146623->146555 146624->146555 146625->146530 146626->146530 146628 a34b84 VirtualProtect 146627->146628 146628->146558 146629->146571 146630->146571 146631->146574 146632->146574 146633->146574 146634->146574 146635->146584 146636->146584 146637->146584 146638->146584 146639->146586 146640->146586 146641->146586 146642->146586 146644 a35d29 146656 a35d32 146644->146656 146645 a35f2e 146647 a36006 146645->146647 146648 a35fdc 146645->146648 146919 a84870 15 API calls 146647->146919 146918 a84870 15 API calls 146648->146918 146653 a36250 146654 a36327 146653->146654 146655 a362fd 146653->146655 146923 a84870 15 API calls 146654->146923 146922 a84870 15 API calls 146655->146922 146656->146645 146666 a35ffe 146656->146666 146916 a21d90 15 API calls 146656->146916 146917 a21de0 20 API calls 146656->146917 146659 a36562 146662 a36639 146659->146662 146663 a3660f 146659->146663 146927 a84870 15 API calls 146662->146927 146926 a84870 15 API calls 146663->146926 146666->146653 146675 a3631f 146666->146675 146888 a3c4b7 146666->146888 146920 a21d90 15 API calls 146666->146920 146921 a21de0 20 API calls 146666->146921 146669 a36958 146931 a84870 15 API calls 146669->146931 146670 a3692e 146930 a84870 15 API calls 146670->146930 146671 a36880 146671->146669 146671->146670 146673 a36b93 146678 a36c41 146673->146678 146679 a36c6b 146673->146679 146675->146659 146681 a36631 146675->146681 146924 a21d90 15 API calls 146675->146924 146925 a21de0 20 API calls 146675->146925 146934 a84870 15 API calls 146678->146934 146935 a84870 15 API calls 146679->146935 146681->146671 146688 a36950 146681->146688 146928 a21d90 15 API calls 146681->146928 146929 a21de0 20 API calls 146681->146929 146685 a36f64 146938 a84870 15 API calls 146685->146938 146686 a36f8e 146939 a84870 15 API calls 146686->146939 146687 a36eb7 146687->146685 146687->146686 146688->146673 146699 a36c63 146688->146699 146932 a21d90 15 API calls 146688->146932 146933 a21de0 20 API calls 146688->146933 146692 a371c9 146694 a372a0 146692->146694 146695 a37276 146692->146695 146943 a84870 15 API calls 146694->146943 146942 a84870 15 API calls 146695->146942 146697 a374e7 146702 a37595 146697->146702 146703 a375bf 146697->146703 146699->146687 146707 a36f86 146699->146707 146936 a21d90 15 API calls 146699->146936 146937 a21de0 20 API calls 146699->146937 146946 a84870 15 API calls 146702->146946 146947 a84870 15 API calls 146703->146947 146705 a377fa 146710 a378d2 146705->146710 146711 a378a8 146705->146711 146707->146692 146714 a37298 146707->146714 146940 a21d90 15 API calls 146707->146940 146941 a21de0 20 API calls 146707->146941 146951 a84870 15 API calls 146710->146951 146950 a84870 15 API calls 146711->146950 146712 a37b0d 146718 a37be5 146712->146718 146719 a37bbb 146712->146719 146714->146697 146720 a375b7 146714->146720 146944 a21d90 15 API calls 146714->146944 146945 a21de0 20 API calls 146714->146945 146955 a84870 15 API calls 146718->146955 146954 a84870 15 API calls 146719->146954 146720->146705 146732 a378ca 146720->146732 146948 a21d90 15 API calls 146720->146948 146949 a21de0 20 API calls 146720->146949 146724 a37e20 146726 a37ef8 146724->146726 146727 a37ece 146724->146727 146959 a84870 15 API calls 146726->146959 146958 a84870 15 API calls 146727->146958 146728 a38b71 VirtualAlloc 146784 a38ba8 146728->146784 146730 a38133 146735 a381e1 146730->146735 146736 a3820b 146730->146736 146732->146712 146740 a37bdd 146732->146740 146952 a21d90 15 API calls 146732->146952 146953 a21de0 20 API calls 146732->146953 146962 a84870 15 API calls 146735->146962 146963 a84870 15 API calls 146736->146963 146738 a38446 146743 a384f4 146738->146743 146744 a3851e 146738->146744 146740->146724 146747 a37ef0 146740->146747 146956 a21d90 15 API calls 146740->146956 146957 a21de0 20 API calls 146740->146957 146966 a84870 15 API calls 146743->146966 146967 a84870 15 API calls 146744->146967 146745 a38759 146751 a38831 146745->146751 146752 a38807 146745->146752 146747->146730 146753 a38203 146747->146753 146960 a21d90 15 API calls 146747->146960 146961 a21de0 20 API calls 146747->146961 146971 a84870 15 API calls 146751->146971 146970 a84870 15 API calls 146752->146970 146753->146738 146766 a38516 146753->146766 146964 a21d90 15 API calls 146753->146964 146965 a21de0 20 API calls 146753->146965 146757 a38a6c 146760 a38b44 146757->146760 146761 a38b1a 146757->146761 146759 a397c2 146772 a39815 VirtualAlloc 146759->146772 146815 a3985a 146759->146815 146975 a84870 15 API calls 146760->146975 146974 a84870 15 API calls 146761->146974 146764 a38db3 146769 a38e91 146764->146769 146770 a38e67 146764->146770 146766->146745 146775 a38829 146766->146775 146968 a21d90 15 API calls 146766->146968 146969 a21de0 20 API calls 146766->146969 146768 a38b3c 146768->146728 146979 a84870 15 API calls 146769->146979 146978 a84870 15 API calls 146770->146978 146780 a3983f 146772->146780 146772->146815 146773 a390cc 146778 a391a4 146773->146778 146779 a3917a 146773->146779 146775->146728 146775->146757 146972 a21d90 15 API calls 146775->146972 146973 a21de0 20 API calls 146775->146973 146983 a84870 15 API calls 146778->146983 146982 a84870 15 API calls 146779->146982 146992 a8106c RaiseException 146780->146992 146781 a393df 146788 a394b7 146781->146788 146789 a3948d 146781->146789 146784->146764 146790 a38e89 146784->146790 146976 a21d90 15 API calls 146784->146976 146977 a21de0 20 API calls 146784->146977 146987 a84870 15 API calls 146788->146987 146986 a84870 15 API calls 146789->146986 146790->146773 146798 a3919c 146790->146798 146980 a21d90 15 API calls 146790->146980 146981 a21de0 20 API calls 146790->146981 146795 a397a0 146990 a84870 15 API calls 146795->146990 146796 a397ca 146991 a84870 15 API calls 146796->146991 146797 a396f2 146797->146795 146797->146796 146798->146781 146802 a394af 146798->146802 146984 a21d90 15 API calls 146798->146984 146985 a21de0 20 API calls 146798->146985 146802->146759 146802->146797 146988 a21d90 15 API calls 146802->146988 146989 a21de0 20 API calls 146802->146989 146804 a39a68 146805 a39b40 146804->146805 146806 a39b16 146804->146806 146996 a84870 15 API calls 146805->146996 146995 a84870 15 API calls 146806->146995 146807 a39d7b 146812 a39e53 146807->146812 146813 a39e29 146807->146813 147000 a84870 15 API calls 146812->147000 146999 a84870 15 API calls 146813->146999 146815->146804 146824 a39b38 146815->146824 146993 a21d90 15 API calls 146815->146993 146994 a21de0 20 API calls 146815->146994 146818 a3a09a 146820 a3a172 146818->146820 146821 a3a148 146818->146821 147004 a84870 15 API calls 146820->147004 147003 a84870 15 API calls 146821->147003 146822 a3a3ad 146828 a3a485 146822->146828 146829 a3a45b 146822->146829 146824->146807 146830 a39e4b 146824->146830 146997 a21d90 15 API calls 146824->146997 146998 a21de0 20 API calls 146824->146998 147008 a84870 15 API calls 146828->147008 147007 a84870 15 API calls 146829->147007 146830->146818 146842 a3a16a 146830->146842 147001 a21d90 15 API calls 146830->147001 147002 a21de0 20 API calls 146830->147002 146834 a3a6ca 146836 a3a7a2 146834->146836 146837 a3a778 146834->146837 147012 a84870 15 API calls 146836->147012 147011 a84870 15 API calls 146837->147011 146840 a3a9dd 146844 a3aab5 146840->146844 146845 a3aa8b 146840->146845 146842->146822 146849 a3a47d 146842->146849 147005 a21d90 15 API calls 146842->147005 147006 a21de0 20 API calls 146842->147006 147016 a84870 15 API calls 146844->147016 147015 a84870 15 API calls 146845->147015 146847 a3ad04 146852 a3adb2 146847->146852 146853 a3addc 146847->146853 146849->146834 146856 a3a79a 146849->146856 147009 a21d90 15 API calls 146849->147009 147010 a21de0 20 API calls 146849->147010 147019 a84870 15 API calls 146852->147019 147020 a84870 15 API calls 146853->147020 146854 a3b017 146860 a3b0c5 146854->146860 146861 a3b0ef 146854->146861 146856->146840 146862 a3aaad 146856->146862 147013 a21d90 15 API calls 146856->147013 147014 a21de0 20 API calls 146856->147014 147023 a84870 15 API calls 146860->147023 147024 a84870 15 API calls 146861->147024 146862->146847 146870 a3add4 146862->146870 147017 a21d90 15 API calls 146862->147017 147018 a21de0 20 API calls 146862->147018 146866 a3b336 146868 a3b3e4 146866->146868 146869 a3b40e 146866->146869 147027 a84870 15 API calls 146868->147027 147028 a84870 15 API calls 146869->147028 146870->146854 146882 a3b0e7 146870->146882 147021 a21d90 15 API calls 146870->147021 147022 a21de0 20 API calls 146870->147022 146873 a3b737 ctype 146886 a3b9af 146873->146886 146887 a3ba85 146873->146887 147033 a21d90 15 API calls 146873->147033 147034 a21de0 20 API calls 146873->147034 146875 a3b661 146879 a3b715 146875->146879 146880 a3b73f 146875->146880 146877 a3b406 146877->146873 146877->146875 147029 a21d90 15 API calls 146877->147029 147030 a21de0 20 API calls 146877->147030 146878 a3bdb6 ctype 146901 a3c0b2 146878->146901 146915 a3c187 146878->146915 147041 a21d90 15 API calls 146878->147041 147042 a21de0 20 API calls 146878->147042 147031 a84870 15 API calls 146879->147031 147032 a84870 15 API calls 146880->147032 146882->146866 146882->146877 147025 a21d90 15 API calls 146882->147025 147026 a21de0 20 API calls 146882->147026 146889 a3ba63 146886->146889 146890 a3ba8d 146886->146890 146887->146878 146893 a3bce0 146887->146893 147037 a21d90 15 API calls 146887->147037 147038 a21de0 20 API calls 146887->147038 147035 a84870 15 API calls 146889->147035 147036 a84870 15 API calls 146890->147036 146896 a3bd94 146893->146896 146897 a3bdbe 146893->146897 147039 a84870 15 API calls 146896->147039 147040 a84870 15 API calls 146897->147040 146903 a3c165 146901->146903 146904 a3c18f 146901->146904 147043 a84870 15 API calls 146903->147043 147044 a84870 15 API calls 146904->147044 146908 a3c3e2 146910 a3c495 146908->146910 146911 a3c4bf 146908->146911 147047 a84870 15 API calls 146910->147047 147048 a84870 15 API calls 146911->147048 146915->146888 146915->146908 147045 a21d90 15 API calls 146915->147045 147046 a21de0 20 API calls 146915->147046 146916->146656 146917->146656 146918->146666 146919->146666 146920->146666 146921->146666 146922->146675 146923->146675 146924->146675 146925->146675 146926->146681 146927->146681 146928->146681 146929->146681 146930->146688 146931->146688 146932->146688 146933->146688 146934->146699 146935->146699 146936->146699 146937->146699 146938->146707 146939->146707 146940->146707 146941->146707 146942->146714 146943->146714 146944->146714 146945->146714 146946->146720 146947->146720 146948->146720 146949->146720 146950->146732 146951->146732 146952->146732 146953->146732 146954->146740 146955->146740 146956->146740 146957->146740 146958->146747 146959->146747 146960->146747 146961->146747 146962->146753 146963->146753 146964->146753 146965->146753 146966->146766 146967->146766 146968->146766 146969->146766 146970->146775 146971->146775 146972->146775 146973->146775 146974->146768 146975->146768 146976->146784 146977->146784 146978->146790 146979->146790 146980->146790 146981->146790 146982->146798 146983->146798 146984->146798 146985->146798 146986->146802 146987->146802 146988->146802 146989->146802 146990->146759 146991->146759 146992->146815 146993->146815 146994->146815 146995->146824 146996->146824 146997->146824 146998->146824 146999->146830 147000->146830 147001->146830 147002->146830 147003->146842 147004->146842 147005->146842 147006->146842 147007->146849 147008->146849 147009->146849 147010->146849 147011->146856 147012->146856 147013->146856 147014->146856 147015->146862 147016->146862 147017->146862 147018->146862 147019->146870 147020->146870 147021->146870 147022->146870 147023->146882 147024->146882 147025->146882 147026->146882 147027->146877 147028->146877 147029->146877 147030->146877 147031->146873 147032->146873 147033->146873 147034->146873 147035->146887 147036->146887 147037->146887 147038->146887 147039->146878 147040->146878 147041->146878 147042->146878 147043->146915 147044->146915 147045->146915 147046->146915 147047->146888 147048->146888 147049 a25ed9 147060 a25ee2 147049->147060 147050 a261ae 147051 a261f5 LoadLibraryA 147050->147051 147055 a26205 147051->147055 147076 a2621e 147051->147076 147053 a261b6 147463 a84870 15 API calls 147053->147463 147054 a2618c 147462 a84870 15 API calls 147054->147462 147056 a260de 147056->147053 147056->147054 147060->147050 147060->147056 147460 a21d90 15 API calls 147060->147460 147461 a21de0 20 API calls 147060->147461 147061 a2680d 147062 a26854 GetProcAddress 147061->147062 147091 a26877 147062->147091 147063 a2642c 147065 a26503 147063->147065 147066 a264d9 147063->147066 147467 a84870 15 API calls 147065->147467 147466 a84870 15 API calls 147066->147466 147070 a2673e 147072 a26815 147070->147072 147073 a267eb 147070->147073 147471 a84870 15 API calls 147072->147471 147470 a84870 15 API calls 147073->147470 147076->147063 147078 a264fb 147076->147078 147464 a21d90 15 API calls 147076->147464 147465 a21de0 20 API calls 147076->147465 147078->147061 147078->147070 147468 a21d90 15 API calls 147078->147468 147469 a21de0 20 API calls 147078->147469 147079 a26a73 147081 a26b21 147079->147081 147082 a26b4b 147079->147082 147474 a84870 15 API calls 147081->147474 147475 a84870 15 API calls 147082->147475 147087 a26e34 147478 a84870 15 API calls 147087->147478 147088 a26e5e 147479 a84870 15 API calls 147088->147479 147089 a26d86 147089->147087 147089->147088 147091->147079 147101 a26b43 147091->147101 147472 a21d90 15 API calls 147091->147472 147473 a21de0 20 API calls 147091->147473 147094 a27099 147096 a27171 147094->147096 147097 a27147 147094->147097 147483 a84870 15 API calls 147096->147483 147482 a84870 15 API calls 147097->147482 147099 a273ac 147104 a27484 147099->147104 147105 a2745a 147099->147105 147101->147089 147108 a26e56 147101->147108 147476 a21d90 15 API calls 147101->147476 147477 a21de0 20 API calls 147101->147477 147487 a84870 15 API calls 147104->147487 147486 a84870 15 API calls 147105->147486 147108->147094 147115 a27169 147108->147115 147480 a21d90 15 API calls 147108->147480 147481 a21de0 20 API calls 147108->147481 147111 a276bf 147112 a27797 147111->147112 147113 a2776d 147111->147113 147491 a84870 15 API calls 147112->147491 147490 a84870 15 API calls 147113->147490 147115->147099 147122 a2747c 147115->147122 147484 a21d90 15 API calls 147115->147484 147485 a21de0 20 API calls 147115->147485 147119 a279d2 147120 a27a80 147119->147120 147121 a27aaa 147119->147121 147494 a84870 15 API calls 147120->147494 147495 a84870 15 API calls 147121->147495 147122->147111 147133 a2778f 147122->147133 147488 a21d90 15 API calls 147122->147488 147489 a21de0 20 API calls 147122->147489 147126 a27ce5 147128 a27d93 147126->147128 147129 a27dbd 147126->147129 147498 a84870 15 API calls 147128->147498 147499 a84870 15 API calls 147129->147499 147131 a286ee 147139 a28735 GetProcAddress 147131->147139 147133->147119 147143 a27aa2 147133->147143 147492 a21d90 15 API calls 147133->147492 147493 a21de0 20 API calls 147133->147493 147136 a27ff8 147137 a280d0 147136->147137 147138 a280a6 147136->147138 147503 a84870 15 API calls 147137->147503 147502 a84870 15 API calls 147138->147502 147170 a28758 147139->147170 147141 a2830b 147146 a283e3 147141->147146 147147 a283b9 147141->147147 147143->147126 147150 a27db5 147143->147150 147496 a21d90 15 API calls 147143->147496 147497 a21de0 20 API calls 147143->147497 147507 a84870 15 API calls 147146->147507 147506 a84870 15 API calls 147147->147506 147148 a2861e 147154 a286f6 147148->147154 147155 a286cc 147148->147155 147150->147136 147156 a280c8 147150->147156 147500 a21d90 15 API calls 147150->147500 147501 a21de0 20 API calls 147150->147501 147511 a84870 15 API calls 147154->147511 147510 a84870 15 API calls 147155->147510 147156->147141 147160 a283db 147156->147160 147504 a21d90 15 API calls 147156->147504 147505 a21de0 20 API calls 147156->147505 147160->147131 147160->147148 147508 a21d90 15 API calls 147160->147508 147509 a21de0 20 API calls 147160->147509 147162 a28954 147163 a28a02 147162->147163 147164 a28a2c 147162->147164 147514 a84870 15 API calls 147163->147514 147515 a84870 15 API calls 147164->147515 147168 a28c67 147171 a28d15 147168->147171 147172 a28d3f 147168->147172 147170->147162 147183 a28a24 147170->147183 147512 a21d90 15 API calls 147170->147512 147513 a21de0 20 API calls 147170->147513 147518 a84870 15 API calls 147171->147518 147519 a84870 15 API calls 147172->147519 147174 a28f7a 147178 a29052 147174->147178 147179 a29028 147174->147179 147523 a84870 15 API calls 147178->147523 147522 a84870 15 API calls 147179->147522 147180 a299a1 147187 a299e8 GetProcAddress 147180->147187 147181 a2928d 147188 a29365 147181->147188 147189 a2933b 147181->147189 147183->147168 147191 a28d37 147183->147191 147516 a21d90 15 API calls 147183->147516 147517 a21de0 20 API calls 147183->147517 147220 a29a14 147187->147220 147527 a84870 15 API calls 147188->147527 147526 a84870 15 API calls 147189->147526 147191->147174 147198 a2904a 147191->147198 147520 a21d90 15 API calls 147191->147520 147521 a21de0 20 API calls 147191->147521 147195 a29678 147531 a84870 15 API calls 147195->147531 147196 a2964e 147530 a84870 15 API calls 147196->147530 147197 a295a0 147197->147195 147197->147196 147198->147181 147207 a2935d 147198->147207 147524 a21d90 15 API calls 147198->147524 147525 a21de0 20 API calls 147198->147525 147202 a298cb 147204 a299a9 147202->147204 147205 a2997f 147202->147205 147535 a84870 15 API calls 147204->147535 147534 a84870 15 API calls 147205->147534 147207->147197 147210 a29670 147207->147210 147528 a21d90 15 API calls 147207->147528 147529 a21de0 20 API calls 147207->147529 147210->147180 147210->147202 147532 a21d90 15 API calls 147210->147532 147533 a21de0 20 API calls 147210->147533 147212 a29c1f 147213 a29cd2 147212->147213 147214 a29cfc 147212->147214 147538 a84870 15 API calls 147213->147538 147539 a84870 15 API calls 147214->147539 147216 a29f4f 147221 a2a002 147216->147221 147222 a2a02c 147216->147222 147220->147212 147230 a29cf4 147220->147230 147536 a21d90 15 API calls 147220->147536 147537 a21de0 20 API calls 147220->147537 147542 a84870 15 API calls 147221->147542 147543 a84870 15 API calls 147222->147543 147223 a2a27f 147228 a2a332 147223->147228 147229 a2a35c 147223->147229 147546 a84870 15 API calls 147228->147546 147547 a84870 15 API calls 147229->147547 147230->147216 147242 a2a024 147230->147242 147540 a21d90 15 API calls 147230->147540 147541 a21de0 20 API calls 147230->147541 147235 a2a5af 147236 a2a662 147235->147236 147237 a2a68c 147235->147237 147550 a84870 15 API calls 147236->147550 147551 a84870 15 API calls 147237->147551 147240 a2a8df 147244 a2a992 147240->147244 147245 a2a9bc 147240->147245 147242->147223 147249 a2a354 147242->147249 147544 a21d90 15 API calls 147242->147544 147545 a21de0 20 API calls 147242->147545 147554 a84870 15 API calls 147244->147554 147555 a84870 15 API calls 147245->147555 147247 a2ac0f 147252 a2acc2 147247->147252 147253 a2acec 147247->147253 147249->147235 147255 a2a684 147249->147255 147548 a21d90 15 API calls 147249->147548 147549 a21de0 20 API calls 147249->147549 147558 a84870 15 API calls 147252->147558 147559 a84870 15 API calls 147253->147559 147255->147240 147264 a2a9b4 147255->147264 147552 a21d90 15 API calls 147255->147552 147553 a21de0 20 API calls 147255->147553 147259 a2b674 147263 a2b6bb GetProcAddress 147259->147263 147260 a2af3f 147261 a2aff2 147260->147261 147262 a2b01c 147260->147262 147562 a84870 15 API calls 147261->147562 147563 a84870 15 API calls 147262->147563 147296 a2b6e7 147263->147296 147264->147247 147272 a2ace4 147264->147272 147556 a21d90 15 API calls 147264->147556 147557 a21de0 20 API calls 147264->147557 147268 a2b26f 147270 a2b322 147268->147270 147271 a2b34c 147268->147271 147566 a84870 15 API calls 147270->147566 147567 a84870 15 API calls 147271->147567 147272->147260 147281 a2b014 147272->147281 147560 a21d90 15 API calls 147272->147560 147561 a21de0 20 API calls 147272->147561 147277 a2b59f 147278 a2b652 147277->147278 147279 a2b67c 147277->147279 147570 a84870 15 API calls 147278->147570 147571 a84870 15 API calls 147279->147571 147281->147268 147284 a2b344 147281->147284 147564 a21d90 15 API calls 147281->147564 147565 a21de0 20 API calls 147281->147565 147284->147259 147284->147277 147568 a21d90 15 API calls 147284->147568 147569 a21de0 20 API calls 147284->147569 147286 a2b8f2 147287 a2b9d0 147286->147287 147288 a2b9a6 147286->147288 147575 a84870 15 API calls 147287->147575 147574 a84870 15 API calls 147288->147574 147289 a2c68c 147294 a2c6e5 FreeLibrary 147289->147294 147339 a2c708 147289->147339 147294->147055 147295 a2bc23 147297 a2bd01 147295->147297 147298 a2bcd7 147295->147298 147296->147286 147306 a2b9c8 147296->147306 147572 a21d90 15 API calls 147296->147572 147573 a21de0 20 API calls 147296->147573 147579 a84870 15 API calls 147297->147579 147578 a84870 15 API calls 147298->147578 147299 a2bf54 147304 a2c032 147299->147304 147305 a2c008 147299->147305 147583 a84870 15 API calls 147304->147583 147582 a84870 15 API calls 147305->147582 147306->147295 147317 a2bcf9 147306->147317 147576 a21d90 15 API calls 147306->147576 147577 a21de0 20 API calls 147306->147577 147311 a2c285 147312 a2c363 147311->147312 147313 a2c339 147311->147313 147587 a84870 15 API calls 147312->147587 147586 a84870 15 API calls 147313->147586 147315 a2c5b6 147320 a2c694 147315->147320 147321 a2c66a 147315->147321 147317->147299 147323 a2c02a 147317->147323 147580 a21d90 15 API calls 147317->147580 147581 a21de0 20 API calls 147317->147581 147591 a84870 15 API calls 147320->147591 147590 a84870 15 API calls 147321->147590 147323->147311 147326 a2c35b 147323->147326 147584 a21d90 15 API calls 147323->147584 147585 a21de0 20 API calls 147323->147585 147326->147289 147326->147315 147588 a21d90 15 API calls 147326->147588 147589 a21de0 20 API calls 147326->147589 147328 a2c92e 147329 a2c9e1 147328->147329 147330 a2ca0b 147328->147330 147594 a84870 15 API calls 147329->147594 147595 a84870 15 API calls 147330->147595 147335 a2cc5e 147336 a2cd11 147335->147336 147337 a2cd3b 147335->147337 147598 a84870 15 API calls 147336->147598 147599 a84870 15 API calls 147337->147599 147339->147328 147346 a2ca03 147339->147346 147592 a21d90 15 API calls 147339->147592 147593 a21de0 20 API calls 147339->147593 147343 a2d041 147602 a84870 15 API calls 147343->147602 147344 a2d06b 147603 a84870 15 API calls 147344->147603 147345 a2cf8e 147345->147343 147345->147344 147346->147335 147357 a2cd33 147346->147357 147596 a21d90 15 API calls 147346->147596 147597 a21de0 20 API calls 147346->147597 147351 a2d2be 147352 a2d371 147351->147352 147353 a2d39b 147351->147353 147606 a84870 15 API calls 147352->147606 147607 a84870 15 API calls 147353->147607 147355 a2d5ee 147361 a2d6a1 147355->147361 147362 a2d6cb 147355->147362 147357->147345 147360 a2d063 147357->147360 147600 a21d90 15 API calls 147357->147600 147601 a21de0 20 API calls 147357->147601 147360->147351 147366 a2d393 147360->147366 147604 a21d90 15 API calls 147360->147604 147605 a21de0 20 API calls 147360->147605 147610 a84870 15 API calls 147361->147610 147611 a84870 15 API calls 147362->147611 147366->147355 147378 a2d6c3 147366->147378 147608 a21d90 15 API calls 147366->147608 147609 a21de0 20 API calls 147366->147609 147368 a2d936 147369 a2da13 147368->147369 147370 a2d9e9 147368->147370 147615 a84870 15 API calls 147369->147615 147614 a84870 15 API calls 147370->147614 147371 a2dc66 147376 a2dd43 147371->147376 147377 a2dd19 147371->147377 147619 a84870 15 API calls 147376->147619 147618 a84870 15 API calls 147377->147618 147378->147368 147390 a2da0b 147378->147390 147612 a21d90 15 API calls 147378->147612 147613 a21de0 20 API calls 147378->147613 147382 a2df96 147384 a2e073 147382->147384 147385 a2e049 147382->147385 147623 a84870 15 API calls 147384->147623 147622 a84870 15 API calls 147385->147622 147388 a2e2c6 147392 a2e3a3 147388->147392 147393 a2e379 147388->147393 147390->147371 147397 a2dd3b 147390->147397 147616 a21d90 15 API calls 147390->147616 147617 a21de0 20 API calls 147390->147617 147627 a84870 15 API calls 147392->147627 147626 a84870 15 API calls 147393->147626 147395 a2e5de 147400 a2e6b5 147395->147400 147401 a2e68b 147395->147401 147397->147382 147403 a2e06b 147397->147403 147620 a21d90 15 API calls 147397->147620 147621 a21de0 20 API calls 147397->147621 147631 a84870 15 API calls 147400->147631 147630 a84870 15 API calls 147401->147630 147403->147388 147410 a2e39b 147403->147410 147624 a21d90 15 API calls 147403->147624 147625 a21de0 20 API calls 147403->147625 147407 a2e908 147408 a2e9e5 147407->147408 147409 a2e9bb 147407->147409 147635 a84870 15 API calls 147408->147635 147634 a84870 15 API calls 147409->147634 147410->147395 147415 a2e6ad 147410->147415 147628 a21d90 15 API calls 147410->147628 147629 a21de0 20 API calls 147410->147629 147414 a2f036 147416 a2f074 FreeLibrary 147414->147416 147443 a2f097 147414->147443 147415->147407 147429 a2e9dd 147415->147429 147632 a21d90 15 API calls 147415->147632 147633 a21de0 20 API calls 147415->147633 147416->147055 147418 a2ec53 147419 a2ed01 147418->147419 147420 a2ed2b 147418->147420 147638 a84870 15 API calls 147419->147638 147639 a84870 15 API calls 147420->147639 147424 a2ef66 147426 a2f014 147424->147426 147427 a2f03e 147424->147427 147642 a84870 15 API calls 147426->147642 147643 a84870 15 API calls 147427->147643 147429->147418 147435 a2ed23 147429->147435 147636 a21d90 15 API calls 147429->147636 147637 a21de0 20 API calls 147429->147637 147432 a2f2a5 147436 a2f352 147432->147436 147437 a2f37c 147432->147437 147433 a2f698 std::runtime_error::runtime_error _strlen 147442 a2f734 FreeLibrary 147433->147442 147454 a2f782 147433->147454 147435->147414 147435->147424 147640 a21d90 15 API calls 147435->147640 147641 a21de0 20 API calls 147435->147641 147646 a84870 15 API calls 147436->147646 147647 a84870 15 API calls 147437->147647 147451 a2f75f 147442->147451 147443->147432 147453 a2f374 147443->147453 147644 a21d90 15 API calls 147443->147644 147645 a21de0 20 API calls 147443->147645 147444 a2f5c9 147445 a2f6a0 147444->147445 147446 a2f676 147444->147446 147651 a84870 15 API calls 147445->147651 147650 a84870 15 API calls 147446->147650 147652 a24120 39 API calls task 147451->147652 147452 a2f7bb FreeLibrary 147458 a2f82a std::ios_base::failure::failure 147452->147458 147453->147433 147453->147444 147648 a21d90 15 API calls 147453->147648 147649 a21de0 20 API calls 147453->147649 147454->147452 147456 a34c60 std::ios_base::failure::failure 41 API calls 147454->147456 147456->147454 147653 a24120 39 API calls task 147458->147653 147460->147060 147461->147060 147462->147050 147463->147050 147464->147076 147465->147076 147466->147078 147467->147078 147468->147078 147469->147078 147470->147061 147471->147061 147472->147091 147473->147091 147474->147101 147475->147101 147476->147101 147477->147101 147478->147108 147479->147108 147480->147108 147481->147108 147482->147115 147483->147115 147484->147115 147485->147115 147486->147122 147487->147122 147488->147122 147489->147122 147490->147133 147491->147133 147492->147133 147493->147133 147494->147143 147495->147143 147496->147143 147497->147143 147498->147150 147499->147150 147500->147150 147501->147150 147502->147156 147503->147156 147504->147156 147505->147156 147506->147160 147507->147160 147508->147160 147509->147160 147510->147131 147511->147131 147512->147170 147513->147170 147514->147183 147515->147183 147516->147183 147517->147183 147518->147191 147519->147191 147520->147191 147521->147191 147522->147198 147523->147198 147524->147198 147525->147198 147526->147207 147527->147207 147528->147207 147529->147207 147530->147210 147531->147210 147532->147210 147533->147210 147534->147180 147535->147180 147536->147220 147537->147220 147538->147230 147539->147230 147540->147230 147541->147230 147542->147242 147543->147242 147544->147242 147545->147242 147546->147249 147547->147249 147548->147249 147549->147249 147550->147255 147551->147255 147552->147255 147553->147255 147554->147264 147555->147264 147556->147264 147557->147264 147558->147272 147559->147272 147560->147272 147561->147272 147562->147281 147563->147281 147564->147281 147565->147281 147566->147284 147567->147284 147568->147284 147569->147284 147570->147259 147571->147259 147572->147296 147573->147296 147574->147306 147575->147306 147576->147306 147577->147306 147578->147317 147579->147317 147580->147317 147581->147317 147582->147323 147583->147323 147584->147323 147585->147323 147586->147326 147587->147326 147588->147326 147589->147326 147590->147289 147591->147289 147592->147339 147593->147339 147594->147346 147595->147346 147596->147346 147597->147346 147598->147357 147599->147357 147600->147357 147601->147357 147602->147360 147603->147360 147604->147360 147605->147360 147606->147366 147607->147366 147608->147366 147609->147366 147610->147378 147611->147378 147612->147378 147613->147378 147614->147390 147615->147390 147616->147390 147617->147390 147618->147397 147619->147397 147620->147397 147621->147397 147622->147403 147623->147403 147624->147403 147625->147403 147626->147410 147627->147410 147628->147410 147629->147410 147630->147415 147631->147415 147632->147415 147633->147415 147634->147429 147635->147429 147636->147429 147637->147429 147638->147435 147639->147435 147640->147435 147641->147435 147642->147414 147643->147414 147644->147443 147645->147443 147646->147453 147647->147453 147648->147453 147649->147453 147650->147433 147651->147433 147652->147055 147653->147055 147654 a47eea 147655 a38b77 VirtualAlloc 147654->147655 147656 a47ef2 147654->147656 147677 a38ba8 147655->147677 147657 a397c2 147663 a39815 VirtualAlloc 147657->147663 147705 a3985a 147657->147705 147659 a38db3 147660 a38e91 147659->147660 147661 a38e67 147659->147661 147809 a84870 15 API calls 147660->147809 147808 a84870 15 API calls 147661->147808 147669 a3983f 147663->147669 147663->147705 147667 a391a4 147813 a84870 15 API calls 147667->147813 147668 a3917a 147812 a84870 15 API calls 147668->147812 147822 a8106c RaiseException 147669->147822 147670 a390cc 147670->147667 147670->147668 147673 a393df 147678 a394b7 147673->147678 147679 a3948d 147673->147679 147677->147659 147681 a38e89 147677->147681 147806 a21d90 15 API calls 147677->147806 147807 a21de0 20 API calls 147677->147807 147817 a84870 15 API calls 147678->147817 147816 a84870 15 API calls 147679->147816 147681->147670 147688 a3919c 147681->147688 147810 a21d90 15 API calls 147681->147810 147811 a21de0 20 API calls 147681->147811 147685 a397a0 147820 a84870 15 API calls 147685->147820 147686 a397ca 147821 a84870 15 API calls 147686->147821 147687 a396f2 147687->147685 147687->147686 147688->147673 147692 a394af 147688->147692 147814 a21d90 15 API calls 147688->147814 147815 a21de0 20 API calls 147688->147815 147692->147657 147692->147687 147818 a21d90 15 API calls 147692->147818 147819 a21de0 20 API calls 147692->147819 147694 a39a68 147695 a39b40 147694->147695 147696 a39b16 147694->147696 147826 a84870 15 API calls 147695->147826 147825 a84870 15 API calls 147696->147825 147697 a39d7b 147702 a39e53 147697->147702 147703 a39e29 147697->147703 147830 a84870 15 API calls 147702->147830 147829 a84870 15 API calls 147703->147829 147705->147694 147714 a39b38 147705->147714 147823 a21d90 15 API calls 147705->147823 147824 a21de0 20 API calls 147705->147824 147708 a3a09a 147710 a3a172 147708->147710 147711 a3a148 147708->147711 147834 a84870 15 API calls 147710->147834 147833 a84870 15 API calls 147711->147833 147712 a3a3ad 147718 a3a485 147712->147718 147719 a3a45b 147712->147719 147714->147697 147720 a39e4b 147714->147720 147827 a21d90 15 API calls 147714->147827 147828 a21de0 20 API calls 147714->147828 147838 a84870 15 API calls 147718->147838 147837 a84870 15 API calls 147719->147837 147720->147708 147732 a3a16a 147720->147732 147831 a21d90 15 API calls 147720->147831 147832 a21de0 20 API calls 147720->147832 147725 a3a6ca 147726 a3a7a2 147725->147726 147727 a3a778 147725->147727 147842 a84870 15 API calls 147726->147842 147841 a84870 15 API calls 147727->147841 147730 a3a9dd 147734 a3aab5 147730->147734 147735 a3aa8b 147730->147735 147732->147712 147739 a3a47d 147732->147739 147835 a21d90 15 API calls 147732->147835 147836 a21de0 20 API calls 147732->147836 147846 a84870 15 API calls 147734->147846 147845 a84870 15 API calls 147735->147845 147738 a3b0e7 147743 a3b406 147738->147743 147761 a3b336 147738->147761 147855 a21d90 15 API calls 147738->147855 147856 a21de0 20 API calls 147738->147856 147739->147725 147749 a3a79a 147739->147749 147839 a21d90 15 API calls 147739->147839 147840 a21de0 20 API calls 147739->147840 147742 a3aaad 147744 a3ad04 147742->147744 147756 a3add4 147742->147756 147847 a21d90 15 API calls 147742->147847 147848 a21de0 20 API calls 147742->147848 147755 a3b661 147743->147755 147783 a3b737 ctype 147743->147783 147859 a21d90 15 API calls 147743->147859 147860 a21de0 20 API calls 147743->147860 147745 a3adb2 147744->147745 147746 a3addc 147744->147746 147849 a84870 15 API calls 147745->147849 147850 a84870 15 API calls 147746->147850 147748 a3b017 147753 a3b0c5 147748->147753 147754 a3b0ef 147748->147754 147749->147730 147749->147742 147843 a21d90 15 API calls 147749->147843 147844 a21de0 20 API calls 147749->147844 147853 a84870 15 API calls 147753->147853 147854 a84870 15 API calls 147754->147854 147768 a3b715 147755->147768 147769 a3b73f 147755->147769 147756->147738 147756->147748 147851 a21d90 15 API calls 147756->147851 147852 a21de0 20 API calls 147756->147852 147762 a3b3e4 147761->147762 147763 a3b40e 147761->147763 147857 a84870 15 API calls 147762->147857 147858 a84870 15 API calls 147763->147858 147861 a84870 15 API calls 147768->147861 147862 a84870 15 API calls 147769->147862 147774 a3ba63 147865 a84870 15 API calls 147774->147865 147775 a3ba8d 147866 a84870 15 API calls 147775->147866 147776 a3c4b7 147777 a3b9af 147777->147774 147777->147775 147782 a3bce0 147784 a3bd94 147782->147784 147785 a3bdbe 147782->147785 147783->147777 147789 a3ba85 147783->147789 147863 a21d90 15 API calls 147783->147863 147864 a21de0 20 API calls 147783->147864 147869 a84870 15 API calls 147784->147869 147870 a84870 15 API calls 147785->147870 147789->147782 147804 a3bdb6 ctype 147789->147804 147867 a21d90 15 API calls 147789->147867 147868 a21de0 20 API calls 147789->147868 147791 a3c0b2 147792 a3c165 147791->147792 147793 a3c18f 147791->147793 147873 a84870 15 API calls 147792->147873 147874 a84870 15 API calls 147793->147874 147797 a3c3e2 147799 a3c495 147797->147799 147800 a3c4bf 147797->147800 147877 a84870 15 API calls 147799->147877 147878 a84870 15 API calls 147800->147878 147804->147791 147805 a3c187 147804->147805 147871 a21d90 15 API calls 147804->147871 147872 a21de0 20 API calls 147804->147872 147805->147776 147805->147797 147875 a21d90 15 API calls 147805->147875 147876 a21de0 20 API calls 147805->147876 147806->147677 147807->147677 147808->147681 147809->147681 147810->147681 147811->147681 147812->147688 147813->147688 147814->147688 147815->147688 147816->147692 147817->147692 147818->147692 147819->147692 147820->147657 147821->147657 147822->147705 147823->147705 147824->147705 147825->147714 147826->147714 147827->147714 147828->147714 147829->147720 147830->147720 147831->147720 147832->147720 147833->147732 147834->147732 147835->147732 147836->147732 147837->147739 147838->147739 147839->147739 147840->147739 147841->147749 147842->147749 147843->147749 147844->147749 147845->147742 147846->147742 147847->147742 147848->147742 147849->147756 147850->147756 147851->147756 147852->147756 147853->147738 147854->147738 147855->147738 147856->147738 147857->147743 147858->147743 147859->147743 147860->147743 147861->147783 147862->147783 147863->147783 147864->147783 147865->147789 147866->147789 147867->147789 147868->147789 147869->147804 147870->147804 147871->147804 147872->147804 147873->147805 147874->147805 147875->147805 147876->147805 147877->147776 147878->147776

                      Executed Functions

                      Function 03CD2054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2639 3cd2054-3cd20a5 call 3cd3508 2642 3cd20a7-3cd20c6 2639->2642 2643 3cd2103-3cd2115 GetCurrentHwProfileA 2639->2643 2644 3cd20ce-3cd20d4 2642->2644 2645 3cd20c8-3cd20cc 2642->2645 2646 3cd212d-3cd219e GetSystemInfo call 3cd35db call 3cd3536 GlobalMemoryStatusEx call 3cd35db 2643->2646 2647 3cd2117-3cd212a call 3cd35db 2643->2647 2649 3cd20df-3cd20e5 2644->2649 2650 3cd20d6-3cd20dd 2644->2650 2648 3cd20ee-3cd20f9 call 3cd354b 2645->2648 2663 3cd21db-3cd21ec EnumDisplayDevicesA 2646->2663 2647->2646 2653 3cd20fc-3cd2101 2648->2653 2649->2653 2654 3cd20e7-3cd20eb 2649->2654 2650->2648 2653->2642 2653->2643 2654->2648 2664 3cd21ee-3cd21f4 2663->2664 2665 3cd21a0-3cd21a9 2663->2665 2666 3cd21ab-3cd21c7 call 3cd35db 2665->2666 2667 3cd21ca-3cd21da 2665->2667 2666->2667 2667->2663
                      APIs
                        • Part of subcall function 03CD3508: EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                        • Part of subcall function 03CD3508: GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                        • Part of subcall function 03CD3508: HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                        • Part of subcall function 03CD3508: LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                      • GetCurrentHwProfileA.ADVAPI32(?,?,0000011C), ref: 03CD210B
                      • GetSystemInfo.KERNEL32(?,?,0000011C), ref: 03CD2132
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 03CD2166
                      • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 03CD21E8
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalHeapSection$AllocCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                      • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                      • API String ID: 3018433743-565344305
                      • Opcode ID: 102254f9594460b48ed672f7fda808a53c6df6d5f81d9d416d07b3e94975a87f
                      • Instruction ID: b72367c642aeec6094307ad2ff4f53d33d5a59c43a0fe165c7367ce7d5f8a8e0
                      • Opcode Fuzzy Hash: 102254f9594460b48ed672f7fda808a53c6df6d5f81d9d416d07b3e94975a87f
                      • Instruction Fuzzy Hash: F241B1716043459BD725EF14D885BABB7E8EB88310F04492DFA89DB241E771E944CBA2
                      Function 03CD1C94 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69encryptionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5881 3cd1c94-3cd1ccf call 3cd46d4 5884 3cd1d2f-3cd1d3b 5881->5884 5885 3cd1cd1-3cd1cf2 call 3cd3576 5881->5885 5888 3cd1cf6-3cd1cf8 5885->5888 5889 3cd1cfa-3cd1d03 5888->5889 5890 3cd1d05-3cd1d0a 5888->5890 5889->5884 5890->5884 5891 3cd1d0c-3cd1d29 CryptProtectData 5890->5891 5891->5884
                      APIs
                        • Part of subcall function 03CD46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03CD4812), ref: 03CD46E6
                        • Part of subcall function 03CD46D4: LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,03CD4812), ref: 03CD46F3
                      • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 03CD1D29
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CryptDataHandleLibraryLoadModuleProtect
                      • String ID: CRYPT32.dll$Poverty is the parent of crime.
                      • API String ID: 1163816349-1885057629
                      • Opcode ID: ace7914efc292c826ac67652f20f64e7b3fdd98af378947a8c70ba61d1edbf32
                      • Instruction ID: a14d7ca9fa25f49fb2602a87287d94709dab0c3820cde1a65abc0358d9d051d5
                      • Opcode Fuzzy Hash: ace7914efc292c826ac67652f20f64e7b3fdd98af378947a8c70ba61d1edbf32
                      • Instruction Fuzzy Hash: 76114DB5D0020CABCB11DF95C8808EFBBBDEB48210F14456AE905F7244E770AE05CBA0
                      Function 03CD21F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304synchronizationCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 3cd21f5-3cd2212 InitializeCriticalSectionAndSpinCount 1 3cd2219-3cd222f CreateMutexA 0->1 2 3cd2214 0->2 4 3cd2678-3cd267a ExitProcess 1->4 5 3cd2235-3cd2240 GetLastError 1->5 3 3cd2680 2->3 5->4 6 3cd2246-3cd2255 call 3cd3bd2 5->6 9 3cd264f-3cd266f DeleteCriticalSection 6->9 10 3cd225b-3cd2285 call 3cd3576 call 3cd47e6 6->10 9->4 15 3cd228b-3cd22d0 call 3cd35db call 3cd484b 10->15 16 3cd2647-3cd264a call 3cd3536 10->16 15->16 22 3cd22d6-3cd230a call 3cd3508 * 3 15->22 16->9 29 3cd25df-3cd262e call 3cd3d76 call 3cd3536 * 4 call 3cd3bfb 22->29 30 3cd2310-3cd2317 22->30 60 3cd2631-3cd2637 call 3cd536d 29->60 30->29 32 3cd231d-3cd2324 30->32 32->29 33 3cd232a-3cd2366 call 3cd46d4 32->33 33->29 39 3cd236c-3cd2381 call 3cd1f2d 33->39 45 3cd23c1-3cd23db 39->45 46 3cd2383-3cd23ba call 3cd46d4 39->46 55 3cd23dd-3cd23df ExitProcess 45->55 56 3cd23e5-3cd2410 call 3cd363b 45->56 46->45 54 3cd23bc 46->54 54->3 64 3cd241a-3cd2445 call 3cd363b 56->64 65 3cd2412-3cd2414 ExitProcess 56->65 63 3cd263c-3cd2643 60->63 63->16 66 3cd2645 63->66 70 3cd244f-3cd24bd call 3cd363b call 3cd4ba2 CreateThread * 2 WaitForMultipleObjects call 3cd19df call 3cd2054 64->70 71 3cd2447-3cd2449 ExitProcess 64->71 66->60 80 3cd24c7-3cd24ce 70->80 81 3cd2501-3cd251d ObtainUserAgentString 80->81 82 3cd24d0-3cd24d9 80->82 85 3cd251f-3cd2532 call 3cd35db 81->85 86 3cd2535-3cd25a0 call 3cd5239 * 6 call 3cd3508 81->86 83 3cd24ff 82->83 84 3cd24db-3cd24f5 82->84 83->80 84->83 85->86 104 3cd25b2-3cd25da call 3cd363b call 3cd5239 * 2 call 3cd3536 86->104 105 3cd25a2-3cd25ac GetModuleFileNameW 86->105 104->29 105->104
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(03CD84D4,00000DA3), ref: 03CD220A
                      • CreateMutexA.KERNEL32(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 03CD2222
                      • GetLastError.KERNEL32 ref: 03CD2235
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                      • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$shell32$systemd
                      • API String ID: 2005177960-3436640841
                      • Opcode ID: 9ac01e6a725ba1e834275bf419cd8bd9771ca392580e2a2f903e9a2115d65b90
                      • Instruction ID: 7ffd725ec8e185b6f31b3d4c6e674419bd1f3f948d39d994c9295c1199a1c4eb
                      • Opcode Fuzzy Hash: 9ac01e6a725ba1e834275bf419cd8bd9771ca392580e2a2f903e9a2115d65b90
                      • Instruction Fuzzy Hash: A4C1E034904388AAEB16FFA0EC59BEC7BB5AF05300F044099F701EE2D5DB755A56DB22
                      Function 00A25B80 Relevance: 30.7, APIs: 12, Strings: 1, Instructions: 7953COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID:
                      • String ID: d
                      • API String ID: 0-2564639436
                      • Opcode ID: 99944d4ad3552910ec763c1fe61a12c948f8ac68fe7bda139709f00a7b1aa6a5
                      • Instruction ID: afe81be8ce81833564baffecbc3546e5077d9a7ca4dc104b00d6c80f6c6b35a6
                      • Opcode Fuzzy Hash: 99944d4ad3552910ec763c1fe61a12c948f8ac68fe7bda139709f00a7b1aa6a5
                      • Instruction Fuzzy Hash: 98144771D04A2CCACB66DF68DC916AEB775FF56344F1082E9E40A7A241EB319AD1CF40
                      Function 03CD4BA2 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 208COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2540 3cd4ba2-3cd4bb2 2541 3cd4bb8-3cd4beb call 3cd46d4 2540->2541 2542 3cd4e23-3cd4e26 2540->2542 2545 3cd4bf1-3cd4c00 call 3cd46d4 2541->2545 2546 3cd4e22 2541->2546 2545->2546 2549 3cd4c06-3cd4c5f GetSystemMetrics * 2 call 3cd3576 * 4 2545->2549 2546->2542 2559 3cd4c65-3cd4c72 2549->2559 2560 3cd4e20-3cd4e21 2549->2560 2562 3cd4c78-3cd4c89 2559->2562 2563 3cd4e17-3cd4e1a ReleaseDC 2559->2563 2560->2546 2562->2563 2565 3cd4c8f-3cd4d1e call 3cd35db 2562->2565 2563->2560 2565->2563 2570 3cd4d24-3cd4d3f 2565->2570 2572 3cd4d45-3cd4d4f 2570->2572 2573 3cd4e10 2570->2573 2575 3cd4e09 2572->2575 2576 3cd4d55-3cd4d74 2572->2576 2573->2563 2575->2573 2576->2575 2578 3cd4d7a-3cd4d8c call 3cd3508 2576->2578 2578->2575 2581 3cd4d8e-3cd4df9 call 3cd354b * 3 call 3cd3d76 2578->2581 2589 3cd4dfe-3cd4e04 call 3cd3536 2581->2589 2589->2575
                      APIs
                        • Part of subcall function 03CD46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03CD4812), ref: 03CD46E6
                        • Part of subcall function 03CD46D4: LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,03CD4812), ref: 03CD46F3
                      • GetSystemMetrics.USER32(0000004C,?,0000011C), ref: 03CD4C13
                      • GetSystemMetrics.USER32(0000004D,?,0000011C), ref: 03CD4C1A
                      • ReleaseDC.USER32(00000000,00000000,?,?,0000011C), ref: 03CD4E1A
                        • Part of subcall function 03CD3508: EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                        • Part of subcall function 03CD3508: GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                        • Part of subcall function 03CD3508: HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                        • Part of subcall function 03CD3508: LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                        • Part of subcall function 03CD3D76: EnterCriticalSection.KERNEL32(03CD84D4,?,0000011C), ref: 03CD3D88
                        • Part of subcall function 03CD3536: GetProcessHeap.KERNEL32(00000000,00000000,03CD264F), ref: 03CD353D
                        • Part of subcall function 03CD3536: HeapFree.KERNEL32(00000000), ref: 03CD3544
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$CriticalSection$EnterMetricsProcessSystem$AllocFreeHandleLeaveLibraryLoadModuleRelease
                      • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                      • API String ID: 1661398203-1028866296
                      • Opcode ID: a571c1c2785f5413cad09b1a8f202a0a2bb80665f07c71d140f2f7b165969ba1
                      • Instruction ID: 21bec3837eb6cf3978de37e8babd64a0a4ef834b7223ff4578b08d933df3d2f3
                      • Opcode Fuzzy Hash: a571c1c2785f5413cad09b1a8f202a0a2bb80665f07c71d140f2f7b165969ba1
                      • Instruction Fuzzy Hash: B5719D75D01308ABDB25EFA5EC45BAEBB78EF04700F14805AF605EB290EB709A14DB65
                      Function 03CD446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 03CD407D: GetFileAttributesW.KERNEL32(016200F8,03CD1035,016200F8,?), ref: 03CD407E
                        • Part of subcall function 03CD3508: EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                        • Part of subcall function 03CD3508: GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                        • Part of subcall function 03CD3508: HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                        • Part of subcall function 03CD3508: LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                      • EnterCriticalSection.KERNEL32(03CD84D4), ref: 03CD44F5
                      • LeaveCriticalSection.KERNEL32(03CD84D4), ref: 03CD4541
                      • EnterCriticalSection.KERNEL32(03CD84D4), ref: 03CD45C4
                      • LeaveCriticalSection.KERNEL32(03CD84D4), ref: 03CD45FD
                      • EnterCriticalSection.KERNEL32(03CD84D4), ref: 03CD463A
                      • LeaveCriticalSection.KERNEL32(03CD84D4), ref: 03CD467D
                      • EnterCriticalSection.KERNEL32(03CD84D4), ref: 03CD4696
                      • LeaveCriticalSection.KERNEL32(03CD84D4), ref: 03CD46BF
                        • Part of subcall function 03CD42EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,03CD4574), ref: 03CD4305
                        • Part of subcall function 03CD42EC: GetProcAddress.KERNEL32(00000000,?,?,?,?,03CD4574), ref: 03CD430E
                        • Part of subcall function 03CD42EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03CD4574), ref: 03CD431F
                        • Part of subcall function 03CD42EC: GetProcAddress.KERNEL32(00000000,?,?,?,?,03CD4574), ref: 03CD4322
                        • Part of subcall function 03CD42EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03CD4574), ref: 03CD43A4
                        • Part of subcall function 03CD42EC: GetCurrentProcess.KERNEL32(03CD4574,00000000,00000000,00000002,?,?,?,?,03CD4574), ref: 03CD43C0
                        • Part of subcall function 03CD42EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03CD4574), ref: 03CD43CF
                        • Part of subcall function 03CD42EC: CloseHandle.KERNEL32(03CD4574,?,?,?,?,03CD4574), ref: 03CD43FF
                        • Part of subcall function 03CD3536: GetProcessHeap.KERNEL32(00000000,00000000,03CD264F), ref: 03CD353D
                        • Part of subcall function 03CD3536: HeapFree.KERNEL32(00000000), ref: 03CD3544
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocAttributesCloseCurrentDuplicateFileFreeOpen
                      • String ID: @$\??\%s$\Network\Cookies
                      • API String ID: 3156071667-2791195959
                      • Opcode ID: 7823d7036443e71484c81b2afa4b790fa893b9b21fdfec352221815b9ba217b9
                      • Instruction ID: a557bbf93cf2d5e508027207b880b06ea4370d3b94d2e9d9f7ca05d5c115aa0f
                      • Opcode Fuzzy Hash: 7823d7036443e71484c81b2afa4b790fa893b9b21fdfec352221815b9ba217b9
                      • Instruction Fuzzy Hash: 0B714A79940308AFEB48EF90D859FADBBB5FB04704F108025F701EA1D1EBB0AA55DB51
                      Function 03CD1000 Relevance: 12.7, APIs: 2, Strings: 6, Instructions: 667COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2670 3cd1000-3cd1018 2671 3cd101e-3cd1028 2670->2671 2672 3cd1412-3cd1418 2670->2672 2671->2672 2673 3cd102e-3cd1037 call 3cd407d 2671->2673 2673->2672 2676 3cd103d-3cd1059 call 3cd3508 * 2 2673->2676 2681 3cd105f-3cd1061 2676->2681 2682 3cd1404-3cd140d call 3cd3536 * 2 2676->2682 2681->2682 2683 3cd1067-3cd116d call 3cd3600 2681->2683 2682->2672 2690 3cd13d5-3cd1401 call 3cd3576 * 3 2683->2690 2691 3cd1173-3cd1192 call 3cd363b * 2 2683->2691 2690->2682 2701 3cd1198-3cd11b7 call 3cd3600 2691->2701 2702 3cd13ba 2691->2702 2707 3cd11bd-3cd11cf call 3cd372b 2701->2707 2708 3cd1769-3cd1770 2701->2708 2705 3cd13bd-3cd13c4 2702->2705 2709 3cd13cd-3cd13cf 2705->2709 2707->2708 2714 3cd11d5-3cd11e7 call 3cd372b 2707->2714 2708->2702 2711 3cd1776-3cd1794 call 3cd363b call 3cd3b60 2708->2711 2709->2690 2709->2691 2721 3cd17eb-3cd17f0 2711->2721 2722 3cd1796-3cd17e3 call 3cd3508 call 3cd3600 call 3cd3eb6 2711->2722 2714->2708 2720 3cd11ed-3cd120f call 3cd363b call 3cd3b60 2714->2720 2741 3cd171e-3cd1749 call 3cd40ba 2720->2741 2742 3cd1215-3cd121b 2720->2742 2723 3cd199b-3cd19d2 call 3cd3600 call 3cd3eb6 2721->2723 2724 3cd17f6-3cd17fb 2721->2724 2722->2721 2739 3cd19d7-3cd19da 2723->2739 2724->2723 2728 3cd1801-3cd1806 2724->2728 2728->2723 2732 3cd180c-3cd1811 2728->2732 2732->2723 2736 3cd1817-3cd181c 2732->2736 2736->2723 2740 3cd1822-3cd1827 2736->2740 2739->2705 2740->2723 2744 3cd182d-3cd1832 2740->2744 2752 3cd152d-3cd1534 call 3cd3536 2741->2752 2753 3cd174f-3cd175a call 3cd372b 2741->2753 2742->2741 2746 3cd1221-3cd1227 2742->2746 2744->2723 2748 3cd1838-3cd183d 2744->2748 2746->2741 2750 3cd122d-3cd1233 2746->2750 2748->2723 2751 3cd1843-3cd1848 2748->2751 2750->2741 2754 3cd1239-3cd123f 2750->2754 2751->2723 2756 3cd184e-3cd1853 2751->2756 2752->2702 2753->2752 2763 3cd1760-3cd1762 2753->2763 2754->2741 2755 3cd1245-3cd124b 2754->2755 2755->2741 2760 3cd1251-3cd1257 2755->2760 2756->2723 2761 3cd1859-3cd185e 2756->2761 2760->2741 2764 3cd125d-3cd1263 2760->2764 2761->2702 2765 3cd1864-3cd1878 call 3cd446c 2761->2765 2763->2708 2764->2741 2766 3cd1269-3cd126f 2764->2766 2771 3cd187e-3cd1883 2765->2771 2772 3cd14b4-3cd14be call 3cd3536 2765->2772 2766->2741 2768 3cd1275-3cd127b 2766->2768 2768->2741 2770 3cd1281-3cd1287 2768->2770 2770->2741 2774 3cd128d-3cd1293 2770->2774 2771->2772 2773 3cd1889-3cd18a1 call 3cd36f1 2771->2773 2772->2702 2773->2772 2781 3cd18a7-3cd18bf call 3cd36f1 2773->2781 2774->2741 2778 3cd1299-3cd129f 2774->2778 2778->2741 2780 3cd12a5-3cd12ab 2778->2780 2780->2741 2782 3cd12b1-3cd12b7 2780->2782 2781->2772 2787 3cd18c5-3cd18db call 3cd369c 2781->2787 2782->2741 2784 3cd12bd-3cd12c3 2782->2784 2784->2741 2786 3cd12c9-3cd12cf 2784->2786 2786->2741 2788 3cd12d5-3cd12db 2786->2788 2787->2772 2793 3cd18e1-3cd18ed call 3cd3625 2787->2793 2788->2741 2790 3cd12e1-3cd12e7 2788->2790 2790->2741 2792 3cd12ed-3cd12f3 2790->2792 2792->2741 2794 3cd12f9-3cd12ff 2792->2794 2800 3cd14ad-3cd14af call 3cd3536 2793->2800 2801 3cd18f3-3cd1906 call 3cd1a62 2793->2801 2794->2741 2795 3cd1305-3cd130b 2794->2795 2795->2741 2797 3cd1311-3cd1317 2795->2797 2797->2741 2799 3cd131d-3cd1323 2797->2799 2799->2741 2802 3cd1329-3cd132f 2799->2802 2800->2772 2801->2800 2808 3cd190c-3cd1911 2801->2808 2802->2741 2805 3cd1335-3cd133b 2802->2805 2805->2741 2807 3cd1341-3cd1347 2805->2807 2810 3cd134d-3cd1353 2807->2810 2811 3cd168c-3cd16c1 call 3cd40ba 2807->2811 2808->2800 2809 3cd1917-3cd1929 call 3cd1c94 2808->2809 2818 3cd198e-3cd1996 call 3cd3536 2809->2818 2819 3cd192b-3cd1974 call 3cd1ba5 call 3cd3600 call 3cd3d76 2809->2819 2810->2811 2814 3cd1359-3cd135f 2810->2814 2811->2772 2820 3cd16c7-3cd16d2 call 3cd372b 2811->2820 2814->2811 2817 3cd1365-3cd136b 2814->2817 2821 3cd1371-3cd1377 2817->2821 2822 3cd1662-3cd1687 EnterCriticalSection call 3cd4e27 LeaveCriticalSection 2817->2822 2818->2800 2856 3cd1979-3cd198b call 3cd3536 * 2 2819->2856 2820->2772 2835 3cd16d8-3cd1719 call 3cd3efc 2820->2835 2821->2822 2826 3cd137d-3cd1383 2821->2826 2822->2702 2832 3cd1419-3cd141f 2826->2832 2833 3cd1389-3cd13b4 call 3cd3efc 2826->2833 2837 3cd1425-3cd1447 call 3cd40ba 2832->2837 2838 3cd14c3-3cd14c9 2832->2838 2833->2702 2835->2772 2837->2772 2852 3cd1449-3cd1454 call 3cd372b 2837->2852 2840 3cd1539-3cd153f 2838->2840 2841 3cd14cb-3cd14ed call 3cd40ba 2838->2841 2845 3cd1576-3cd157c 2840->2845 2846 3cd1541-3cd1563 call 3cd40ba 2840->2846 2841->2752 2859 3cd14ef-3cd14fa call 3cd372b 2841->2859 2854 3cd165b 2845->2854 2855 3cd1582-3cd1588 2845->2855 2846->2752 2862 3cd1565-3cd1570 call 3cd372b 2846->2862 2852->2772 2869 3cd1456-3cd14a7 call 3cd3508 call 3cd3600 call 3cd3eb6 2852->2869 2854->2822 2855->2854 2860 3cd158e-3cd1594 2855->2860 2856->2818 2859->2752 2877 3cd14fc 2859->2877 2865 3cd15a9-3cd15af 2860->2865 2866 3cd1596-3cd159d 2860->2866 2862->2752 2880 3cd1572-3cd1574 2862->2880 2872 3cd15b1-3cd15b7 2865->2872 2873 3cd15e3-3cd160b call 3cd40ba 2865->2873 2866->2865 2869->2800 2872->2873 2879 3cd15b9-3cd15bf 2872->2879 2873->2752 2886 3cd1611-3cd161c call 3cd372b 2873->2886 2883 3cd14fe-3cd1527 call 3cd3efc 2877->2883 2879->2873 2884 3cd15c1-3cd15c7 2879->2884 2880->2883 2883->2752 2884->2873 2885 3cd15c9-3cd15cf 2884->2885 2885->2873 2889 3cd15d1-3cd15d8 call 3cd1000 2885->2889 2886->2752 2897 3cd1622-3cd1656 call 3cd3efc 2886->2897 2896 3cd15dd-3cd15de 2889->2896 2896->2702 2897->2752
                      APIs
                        • Part of subcall function 03CD407D: GetFileAttributesW.KERNEL32(016200F8,03CD1035,016200F8,?), ref: 03CD407E
                        • Part of subcall function 03CD3508: EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                        • Part of subcall function 03CD3508: GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                        • Part of subcall function 03CD3508: HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                        • Part of subcall function 03CD3508: LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                      • EnterCriticalSection.KERNEL32(03CD84D4), ref: 03CD1668
                      • LeaveCriticalSection.KERNEL32(03CD84D4), ref: 03CD1681
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterHeapLeave$AllocAttributesFileProcess
                      • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
                      • API String ID: 2679619987-1537637304
                      • Opcode ID: 3e7dcb6f0682bbc60d0f429046835096f53ceb54c34c340d5420bde4745a71e0
                      • Instruction ID: e45a77bf9e2873f2342d7d37cdf7eb429d1e91b4763138cbe599ac613cda5e32
                      • Opcode Fuzzy Hash: 3e7dcb6f0682bbc60d0f429046835096f53ceb54c34c340d5420bde4745a71e0
                      • Instruction Fuzzy Hash: FD321675E003645BDB65EBA49890BFDB3B5AF40210F1D405AF606EF2A0EB748F85C792
                      Function 00A2F990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID:
                      • String ID: d
                      • API String ID: 0-2564639436
                      • Opcode ID: 9e867906676acc343469547a3dae0106956b39d4528ff60a8ed7538646f9ef88
                      • Instruction ID: c063e3c9417df3404226f53b2f46ff33ffe855622e9405c9331772f4ae624e9c
                      • Opcode Fuzzy Hash: 9e867906676acc343469547a3dae0106956b39d4528ff60a8ed7538646f9ef88
                      • Instruction Fuzzy Hash: 3B631671C04A2CCACB26DF68D9916AEF775FF56345F1082DAE40A3A241EB319AD1DF40
                      Function 00A33FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 3775 a33fe0-a34015 3777 a342a1-a342b9 3775->3777 3778 a3401b-a34022 3775->3778 3781 a34554-a3456c 3777->3781 3782 a342bf-a342c9 3777->3782 3779 a3402d-a34033 3778->3779 3783 a340e4-a340eb 3779->3783 3784 a34039-a34050 3779->3784 3793 a34572-a34579 3781->3793 3794 a347f8-a34810 3781->3794 3785 a342da-a342e3 3782->3785 3787 a340f6-a340fc 3783->3787 3786 a3405b-a34061 3784->3786 3789 a34397-a3439e 3785->3789 3790 a342e9-a34300 3785->3790 3791 a34063-a340cb call a21dc0 call a21cc0 3786->3791 3792 a340cd-a340df 3786->3792 3795 a34102-a34109 3787->3795 3796 a341c0-a341c7 3787->3796 3801 a343a9-a343af 3789->3801 3797 a3430b-a34311 3790->3797 3791->3786 3792->3779 3802 a34584-a3458a 3793->3802 3807 a34a36-a34a3d 3794->3807 3808 a34816-a3481d 3794->3808 3803 a34114-a3411a 3795->3803 3798 a341d2-a341d8 3796->3798 3805 a34313-a3437e call a21dc0 call a21cc0 3797->3805 3806 a34380-a34392 3797->3806 3809 a34236-a3423f 3798->3809 3810 a341da-a341e1 3798->3810 3814 a34473-a3447a 3801->3814 3815 a343b5-a343bc 3801->3815 3812 a34590-a345a7 3802->3812 3813 a3463b-a34642 3802->3813 3816 a34120-a341b6 call a21d90 call a21de0 call a21d10 3803->3816 3817 a341bb 3803->3817 3805->3797 3806->3785 3825 a34a43-a34ba4 call a24c60 call a245b0 call a24a60 call a24550 GetModuleHandleA GetProcAddress call a24e20 call a24670 call a24ff0 call a24670 call a251b0 call a24670 call a25370 call a24690 call a25530 call a24690 call a25610 call a246b0 call a256f0 call a246b0 call a80910 VirtualProtect * 2 call a80910 VirtualProtect 3807->3825 3826 a34bae-a34bb1 3807->3826 3829 a34828-a3482e 3808->3829 3818 a34241-a34245 3809->3818 3819 a34246-a34248 3809->3819 3830 a341ec-a341f2 3810->3830 3831 a345b2-a345b8 3812->3831 3822 a3464d-a34653 3813->3822 3820 a34485-a3448b 3814->3820 3832 a343c7-a343cd 3815->3832 3816->3803 3817->3787 3818->3819 3835 a34274-a34299 call a84870 3819->3835 3836 a3424a-a34272 call a84870 3819->3836 3837 a344e9-a344f2 3820->3837 3838 a3448d-a34494 3820->3838 3840 a34717-a3471e 3822->3840 3841 a34659-a34660 3822->3841 3825->3826 3845 a34834-a3484b 3829->3845 3846 a348df-a348e6 3829->3846 3847 a34234 3830->3847 3848 a341f4-a34232 call a21e00 3830->3848 3849 a34624-a34636 3831->3849 3850 a345ba-a34622 call a21dc0 call a21cc0 3831->3850 3833 a343d3-a34469 call a21d90 call a21de0 call a21d10 3832->3833 3834 a3446e 3832->3834 3833->3832 3834->3801 3896 a3429c 3835->3896 3836->3896 3862 a344f4-a344f8 3837->3862 3863 a344f9-a344fb 3837->3863 3858 a3449f-a344a5 3838->3858 3866 a34729-a3472f 3840->3866 3860 a3466b-a34671 3841->3860 3867 a34856-a3485c 3845->3867 3868 a348f1-a348f7 3846->3868 3847->3798 3848->3830 3849->3802 3850->3831 3874 a344e7 3858->3874 3875 a344a7-a344e5 call a21e00 3858->3875 3876 a34712 3860->3876 3877 a34677-a3470d call a21d90 call a21de0 call a21d10 3860->3877 3862->3863 3879 a34527-a3454c call a84870 3863->3879 3880 a344fd-a34525 call a84870 3863->3880 3883 a34731-a34738 3866->3883 3884 a3478d-a34796 3866->3884 3885 a348c8-a348da 3867->3885 3886 a3485e-a348c6 call a21dc0 call a21cc0 3867->3886 3887 a349bb-a349c2 3868->3887 3888 a348fd-a34904 3868->3888 3874->3820 3875->3858 3876->3822 3877->3860 3940 a3454f 3879->3940 3880->3940 3908 a34743-a34749 3883->3908 3894 a34798-a3479c 3884->3894 3895 a3479d-a3479f 3884->3895 3885->3829 3886->3867 3897 a349cd-a349d3 3887->3897 3890 a3490f-a34915 3888->3890 3911 a349b6 3890->3911 3912 a3491b-a349b1 call a21d90 call a21de0 call a21d10 3890->3912 3894->3895 3915 a347a1-a347c9 call a84870 3895->3915 3916 a347cb-a347f0 call a84870 3895->3916 3896->3777 3917 a34a31 3897->3917 3918 a349d5-a349dc 3897->3918 3925 a3478b 3908->3925 3926 a3474b-a34789 call a21e00 3908->3926 3911->3868 3912->3890 3956 a347f3 3915->3956 3916->3956 3917->3807 3936 a349e7-a349ed 3918->3936 3925->3866 3926->3908 3948 a34a2f 3936->3948 3949 a349ef-a34a2d call a21e00 3936->3949 3940->3781 3948->3897 3949->3936 3956->3794
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID:
                      • String ID: d
                      • API String ID: 0-2564639436
                      • Opcode ID: 97110aebff3be89f47c9114d1fae985cad0b0e319f6a99a8898306cc1bfee4a0
                      • Instruction ID: 7f93a892f485b1e20521a602bcf88ff09255465f69949223f9e64943a6c29624
                      • Opcode Fuzzy Hash: 97110aebff3be89f47c9114d1fae985cad0b0e319f6a99a8898306cc1bfee4a0
                      • Instruction Fuzzy Hash: 3F724571D04A1CDACB15DFA8D991AEEF775FF5A344F108299E40A3A241EB31AA91CF40
                      Function 00A359F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID:
                      • String ID: d
                      • API String ID: 0-2564639436
                      • Opcode ID: 466b5e285d580189ecba216458b566df2d7ddeae76bfff42764cea4ef70aa7b3
                      • Instruction ID: 6f92fdb7da914e45efda7b4ab402ff3d84f2e61e598b8bf9cee3ae142b53eefe
                      • Opcode Fuzzy Hash: 466b5e285d580189ecba216458b566df2d7ddeae76bfff42764cea4ef70aa7b3
                      • Instruction Fuzzy Hash: A8D32771D04A2CCACB26DF68D9916AEF775FF56344F1082CAE40A3A241EB319AD1DF41
                      Function 03CD484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5653 3cd484b-3cd485a 5654 3cd4b90 5653->5654 5655 3cd4860-3cd4879 VirtualAlloc 5653->5655 5656 3cd4b96-3cd4b99 5654->5656 5655->5654 5657 3cd487f-3cd48a3 call 3cd46d4 5655->5657 5658 3cd4b9c-3cd4ba1 5656->5658 5661 3cd4b8c-3cd4b8e 5657->5661 5662 3cd48a9-3cd48be call 3cd354b 5657->5662 5661->5658 5665 3cd48c0-3cd48c7 5662->5665 5666 3cd48c9-3cd48ce 5665->5666 5667 3cd48d2-3cd48d5 5665->5667 5666->5665 5669 3cd48d0 5666->5669 5668 3cd48d9-3cd4900 GetCurrentProcess IsWow64Process call 3cd5239 5667->5668 5672 3cd4906-3cd490b 5668->5672 5673 3cd4990-3cd4993 5668->5673 5669->5668 5676 3cd490d-3cd491d 5672->5676 5677 3cd492c-3cd4931 5672->5677 5674 3cd4995-3cd4998 5673->5674 5675 3cd49e0-3cd49e3 5673->5675 5678 3cd49b8-3cd49bc 5674->5678 5679 3cd499a-3cd49b6 5674->5679 5681 3cd4a8e-3cd4a94 5675->5681 5682 3cd49e9-3cd49ee 5675->5682 5680 3cd491f-3cd4927 5676->5680 5683 3cd4971-3cd4974 5677->5683 5684 3cd4933-3cd4938 5677->5684 5678->5654 5688 3cd49c2-3cd49de 5678->5688 5687 3cd4a32-3cd4a3f 5679->5687 5680->5687 5685 3cd4b2f-3cd4b32 5681->5685 5686 3cd4a9a-3cd4aa0 5681->5686 5689 3cd4a10-3cd4a12 5682->5689 5690 3cd49f0-3cd4a0e 5682->5690 5692 3cd497f-3cd498e 5683->5692 5693 3cd4976-3cd4979 5683->5693 5684->5676 5691 3cd493a-3cd493c 5684->5691 5685->5654 5696 3cd4b34-3cd4b55 5685->5696 5694 3cd4ac0-3cd4ac6 5686->5694 5695 3cd4aa2-3cd4abb 5686->5695 5687->5656 5688->5687 5697 3cd4a44-3cd4a47 5689->5697 5698 3cd4a14-3cd4a2d 5689->5698 5690->5687 5691->5676 5699 3cd493e-3cd4941 5691->5699 5692->5680 5693->5654 5693->5692 5700 3cd4ac8-3cd4ae1 5694->5700 5701 3cd4ae6-3cd4aec 5694->5701 5695->5656 5702 3cd4b77 5696->5702 5703 3cd4b57-3cd4b5d 5696->5703 5706 3cd4a49-3cd4a62 5697->5706 5707 3cd4a67-3cd4a6a 5697->5707 5698->5687 5704 3cd4957-3cd495a 5699->5704 5705 3cd4943-3cd4955 5699->5705 5700->5656 5709 3cd4b0c-3cd4b12 5701->5709 5710 3cd4aee-3cd4b07 5701->5710 5708 3cd4b7c-3cd4b83 5702->5708 5703->5702 5711 3cd4b5f-3cd4b65 5703->5711 5704->5654 5712 3cd4960-3cd496f 5704->5712 5705->5680 5706->5656 5707->5654 5713 3cd4a70-3cd4a89 5707->5713 5708->5656 5709->5696 5714 3cd4b14-3cd4b2d 5709->5714 5710->5656 5711->5702 5715 3cd4b67-3cd4b6d 5711->5715 5712->5680 5713->5656 5714->5656 5715->5702 5716 3cd4b6f-3cd4b75 5715->5716 5716->5702 5717 3cd4b85-3cd4b8a 5716->5717 5717->5708
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,03CD22C4), ref: 03CD486C
                        • Part of subcall function 03CD46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03CD4812), ref: 03CD46E6
                        • Part of subcall function 03CD46D4: LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,03CD4812), ref: 03CD46F3
                      • GetCurrentProcess.KERNEL32(03CD22C4), ref: 03CD48E0
                      • IsWow64Process.KERNEL32(00000000), ref: 03CD48E7
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                      • String ID: l$ntdl
                      • API String ID: 1207166019-924918826
                      • Opcode ID: 2787c983665d700ff01ed4d04de887d15c833e6df294e154baf77541972f143a
                      • Instruction ID: 60438b9ab4ae8391bca8fea4223f789e2b3ff0920842cfa3bc1d13e02fcc8977
                      • Opcode Fuzzy Hash: 2787c983665d700ff01ed4d04de887d15c833e6df294e154baf77541972f143a
                      • Instruction Fuzzy Hash: 0981A232609704AAEB2CEE56E865B79337CFB00710F18055AF309DF2C4DFB49A548706
                      Function 00A7FCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5718 a7fca5-a7fcbd call a87e88 5721 a7fcd0-a7fd06 call a87e5d call a7ffb3 call a80489 5718->5721 5722 a7fcbf-a7fccb 5718->5722 5731 a7fd23-a7fd2c call a8048f 5721->5731 5732 a7fd08-a7fd11 call a7ff1f 5721->5732 5723 a7fdb9-a7fdc8 5722->5723 5737 a7fd41-a7fd56 call a805aa call a87e0a call a3cf50 5731->5737 5738 a7fd2e-a7fd37 call a7ff1f 5731->5738 5732->5731 5739 a7fd13-a7fd21 5732->5739 5751 a7fd5b-a7fd64 call a805e0 5737->5751 5738->5737 5745 a7fd39-a7fd40 call a88191 5738->5745 5739->5731 5745->5737 5754 a7fd66-a7fd68 5751->5754 5755 a7fdd0-a7fdde call a881b7 call a8817b 5751->5755 5756 a7fd6f-a7fd82 call a7ffd0 5754->5756 5757 a7fd6a call a8816c 5754->5757 5756->5723 5757->5756
                      APIs
                      • ___scrt_release_startup_lock.LIBCMT ref: 00A7FCF5
                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00A7FD09
                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00A7FD2F
                      • ___scrt_uninitialize_crt.LIBCMT ref: 00A7FD72
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                      • String ID: VPWh
                      • API String ID: 3089971210-353207083
                      • Opcode ID: 556722f688ed0fa0e77328f477beee3f1703c49df939f9c51f2c6f05724de7d2
                      • Instruction ID: 975ba02966a8d4453a565ac13f121d88c4db732d6b3e437306c87b33535297ec
                      • Opcode Fuzzy Hash: 556722f688ed0fa0e77328f477beee3f1703c49df939f9c51f2c6f05724de7d2
                      • Instruction Fuzzy Hash: F22149326083116EDF317B686D06A6E67A0AF42324F30C53AF898271C3DF254E018390
                      Function 03CD4E27 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 286COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5765 3cd4e27-3cd4e47 5766 3cd4e49-3cd4e8c call 3cd3600 call 3cd407d 5765->5766 5767 3cd4e98-3cd4ed9 call 3cd3508 * 2 call 3cd3600 5765->5767 5776 3cd5198-3cd519e 5766->5776 5777 3cd4e92 5766->5777 5781 3cd4edf-3cd4ef9 call 3cd3600 5767->5781 5782 3cd5183-3cd5192 call 3cd3536 * 2 5767->5782 5777->5767 5788 3cd4eff-3cd4f06 5781->5788 5789 3cd4fb1-3cd4fc7 call 3cd363b 5781->5789 5782->5776 5791 3cd4f0c-3cd4f1e call 3cd372b 5788->5791 5792 3cd516b-3cd5172 5788->5792 5789->5792 5798 3cd4fcd-3cd50ab call 3cd3600 call 3cd3eb6 call 3cd363b call 3cd3600 call 3cd407d 5789->5798 5791->5792 5799 3cd4f24-3cd4f36 call 3cd372b 5791->5799 5796 3cd517b-3cd517d 5792->5796 5796->5781 5796->5782 5798->5792 5822 3cd50b1-3cd5165 call 3cd363b call 3cd3600 call 3cd3eb6 5798->5822 5799->5792 5806 3cd4f3c-3cd4f5b call 3cd363b call 3cd3b60 5799->5806 5815 3cd4f5d-3cd4f62 5806->5815 5816 3cd4f84-3cd4fac EnterCriticalSection call 3cd4e27 LeaveCriticalSection 5806->5816 5815->5816 5818 3cd4f64-3cd4f6b 5815->5818 5816->5792 5818->5792 5821 3cd4f71-3cd4f79 call 3cd4e27 5818->5821 5826 3cd4f7e-3cd4f7f 5821->5826 5828 3cd516a 5822->5828 5826->5828 5828->5792
                      APIs
                        • Part of subcall function 03CD407D: GetFileAttributesW.KERNEL32(016200F8,03CD1035,016200F8,?), ref: 03CD407E
                      • EnterCriticalSection.KERNEL32(03CD84D4), ref: 03CD4F89
                        • Part of subcall function 03CD4E27: LeaveCriticalSection.KERNEL32(03CD84D4), ref: 03CD4FA6
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$AttributesEnterFileLeave
                      • String ID: %s\%s$%s\*$Telegram
                      • API String ID: 4087703252-4994844
                      • Opcode ID: 3849963155f2cac12d6aef97b91b2e813898106e4d24d92a9ae86808527e965c
                      • Instruction ID: ef443a4a003b1f9617881a7bdd49cdca24632fe6e4b029d4c533a88236a72d20
                      • Opcode Fuzzy Hash: 3849963155f2cac12d6aef97b91b2e813898106e4d24d92a9ae86808527e965c
                      • Instruction Fuzzy Hash: 7EA1A329A14348A9EF10EBA0EC45BBEB375EF44710F10505AF604EF2E0FBB15E45875A
                      Function 00A33052 Relevance: 6.0, APIs: 4, Instructions: 32librarysynchronizationthreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5832 a33052-a33068 5834 a3306a-a330ca LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 5832->5834 5835 a330ce-a330d1 5832->5835 5834->5835
                      APIs
                      • LoadLibraryA.KERNEL32(?), ref: 00A3307F
                      • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00A330A2
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A330B7
                      • FreeLibrary.KERNEL32(?), ref: 00A330C4
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Library$CreateFreeLoadObjectSingleThreadWait
                      • String ID:
                      • API String ID: 2432312608-0
                      • Opcode ID: 7c4fa9e07bc0906a82213740a15e72ae6b826020241be5b78c47f49531f86ae4
                      • Instruction ID: 21f61543173c18f17321f0393483e02e2bae8b744ecbf30bbd3707f8504defb9
                      • Opcode Fuzzy Hash: 7c4fa9e07bc0906a82213740a15e72ae6b826020241be5b78c47f49531f86ae4
                      • Instruction Fuzzy Hash: 00011970A40318ABDB34CF94DC8DBAA7734FB15315F1006C9FA2A5A2A1CBB16AC1CF50
                      Function 03CD46D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5836 3cd46d4-3cd46f0 GetModuleHandleA 5837 3cd4706-3cd470e 5836->5837 5838 3cd46f2-3cd46fd LoadLibraryA 5836->5838 5840 3cd47dd 5837->5840 5841 3cd4714-3cd471f 5837->5841 5838->5837 5839 3cd46ff-3cd4701 5838->5839 5842 3cd47e0-3cd47e5 5839->5842 5840->5842 5841->5840 5843 3cd4725-3cd472e 5841->5843 5843->5840 5844 3cd4734-3cd4739 5843->5844 5844->5840 5845 3cd473f-3cd4743 5844->5845 5845->5840 5846 3cd4749-3cd476e 5845->5846 5847 3cd47dc 5846->5847 5848 3cd4770-3cd477b 5846->5848 5847->5840 5849 3cd477d-3cd4787 5848->5849 5850 3cd47cc-3cd47da 5849->5850 5851 3cd4789-3cd47a3 call 3cd3625 call 3cd3b60 5849->5851 5850->5847 5850->5848 5856 3cd47a5-3cd47ad 5851->5856 5857 3cd47b1-3cd47c9 5851->5857 5856->5849 5858 3cd47af 5856->5858 5857->5850 5858->5850
                      APIs
                      • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03CD4812), ref: 03CD46E6
                      • LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,03CD4812), ref: 03CD46F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: HandleLibraryLoadModule
                      • String ID: ntdl
                      • API String ID: 4133054770-3973061744
                      • Opcode ID: 203f6fad7c64d27f889ef622472837531943014125687f897d8b7e6e4172868d
                      • Instruction ID: afa62259af03df905329db97e7903db7373d679bc678e91d53b5652aa1623f6b
                      • Opcode Fuzzy Hash: 203f6fad7c64d27f889ef622472837531943014125687f897d8b7e6e4172868d
                      • Instruction Fuzzy Hash: 98318039E00615DBCB18DF9AC490ABDF7F5BF46714F0A0299E611DB741CB34AA51CBA0
                      Function 00A7C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5859 a7c900-a7c97c call a23200 call a232f0 call a34de0 call a7c8e0 5868 a7c987-a7c98d 5859->5868 5869 a7c9ef-a7ca0c call a24120 5868->5869 5870 a7c98f-a7c99e 5868->5870 5871 a7c9a2-a7c9cb call a7ca40 5870->5871 5872 a7c9a0 5870->5872 5877 a7c9ed 5871->5877 5878 a7c9cd-a7c9e8 call a7c8c0 5871->5878 5872->5869 5877->5868 5878->5877
                      APIs
                      • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 00A7C9E8
                      • task.LIBCPMTD ref: 00A7C9F6
                      Strings
                      • }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 00A7C92A
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Concurrency::task_continuation_context::task_continuation_contexttask
                      • String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
                      • API String ID: 605201214-2946796713
                      • Opcode ID: 6bd5f1ca8678bcaf6a00687a08d4c9b69fe0bf3f669f004b12755fb72c773a8a
                      • Instruction ID: ff5a98cf765eb92d82a58c2c1ccc1c5bd7c27cc8e0ef859ce74051279d9119b5
                      • Opcode Fuzzy Hash: 6bd5f1ca8678bcaf6a00687a08d4c9b69fe0bf3f669f004b12755fb72c773a8a
                      • Instruction Fuzzy Hash: 8631E271D041199BCB04DF98CA92BEEBBB1FB49310F20856EE419B7280DB746A00CBA1
                      Function 03CD3508 Relevance: 5.0, APIs: 4, Instructions: 18memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                      • GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                      • HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                      • LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalHeapSection$AllocEnterLeaveProcess
                      • String ID:
                      • API String ID: 285244410-0
                      • Opcode ID: e9253ed1d591889dcb1d0d1bfaf327d47076f8451ace2d0a5132a1278f9cd925
                      • Instruction ID: 7e415908de3e71af276f5568753db635bb7b7d55db6772d5e576bf2abe4b5b99
                      • Opcode Fuzzy Hash: e9253ed1d591889dcb1d0d1bfaf327d47076f8451ace2d0a5132a1278f9cd925
                      • Instruction Fuzzy Hash: 1DD09E3260212067CA503BE9B80CB9BEA6CEF95561705405AF205C3198CAB49C1587A0
                      Function 00A8EDE2 Relevance: 4.7, APIs: 3, Instructions: 197COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5893 a8ede2-a8edfb 5894 a8edfd-a8ee0d call a871fa 5893->5894 5895 a8ee11-a8ee16 5893->5895 5894->5895 5901 a8ee0f 5894->5901 5897 a8ee18-a8ee20 5895->5897 5898 a8ee23-a8ee49 call a91e03 5895->5898 5897->5898 5903 a8efbf-a8efd0 call a8003d 5898->5903 5904 a8ee4f-a8ee5a 5898->5904 5901->5895 5906 a8ee60-a8ee65 5904->5906 5907 a8efb2 5904->5907 5910 a8ee7e-a8ee89 call a8ac15 5906->5910 5911 a8ee67-a8ee70 call a80110 5906->5911 5908 a8efb4 5907->5908 5913 a8efb6-a8efbd call a7faaa 5908->5913 5910->5908 5920 a8ee8f 5910->5920 5911->5908 5918 a8ee76-a8ee7c 5911->5918 5913->5903 5921 a8ee95-a8ee9a 5918->5921 5920->5921 5921->5908 5922 a8eea0-a8eeb5 call a91e03 5921->5922 5922->5908 5925 a8eebb-a8eecd call a8e1d3 5922->5925 5927 a8eed2-a8eed6 5925->5927 5927->5908 5928 a8eedc-a8eee4 5927->5928 5929 a8ef1e-a8ef2a 5928->5929 5930 a8eee6-a8eeeb 5928->5930 5932 a8ef2c-a8ef2e 5929->5932 5933 a8efa7 5929->5933 5930->5913 5931 a8eef1-a8eef3 5930->5931 5931->5908 5934 a8eef9-a8ef13 call a8e1d3 5931->5934 5935 a8ef30-a8ef39 call a80110 5932->5935 5936 a8ef43-a8ef4e call a8ac15 5932->5936 5937 a8efa9-a8efb0 call a7faaa 5933->5937 5934->5913 5946 a8ef19 5934->5946 5935->5937 5947 a8ef3b-a8ef41 5935->5947 5936->5937 5948 a8ef50 5936->5948 5937->5908 5946->5908 5949 a8ef56-a8ef5b 5947->5949 5948->5949 5949->5937 5950 a8ef5d-a8ef75 call a8e1d3 5949->5950 5950->5937 5953 a8ef77-a8ef7e 5950->5953 5954 a8ef9f-a8efa5 5953->5954 5955 a8ef80-a8ef81 5953->5955 5956 a8ef82-a8ef94 call a91ebd 5954->5956 5955->5956 5956->5937 5959 a8ef96-a8ef9d call a7faaa 5956->5959 5959->5913
                      APIs
                      • __freea.LIBCMT ref: 00A8EF97
                        • Part of subcall function 00A8AC15: HeapAlloc.KERNEL32(00000000,00000000,?,?,00A7FB1F,00000000,?,00A3322C,00000000,?,00A213A5,00000000), ref: 00A8AC47
                      • __freea.LIBCMT ref: 00A8EFAA
                      • __freea.LIBCMT ref: 00A8EFB7
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: __freea$AllocHeap
                      • String ID:
                      • API String ID: 85559729-0
                      • Opcode ID: f27530614f3591f81dde9dbb1263d82f0c36af4e5b6062285ed7cbafb39c7e3e
                      • Instruction ID: 7a37496b581e86a706e2895f8439eac0362a4eab275cdb46ed834c7588149e18
                      • Opcode Fuzzy Hash: f27530614f3591f81dde9dbb1263d82f0c36af4e5b6062285ed7cbafb39c7e3e
                      • Instruction Fuzzy Hash: 7F51907260020AEFEF21EF60DD85EBB7AA9EF94750B150129FE08D6150EB74DC50C7A1
                      Function 03CD536D Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 138COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: HandleLibraryLoadModule
                      • String ID: 146.70.169.164$ws2_32.dll
                      • API String ID: 4133054770-4085977579
                      • Opcode ID: 987999cfbcf7d6671b8475fff7b20d55673a2537e80e11dd4ca558e00a7a3a98
                      • Instruction ID: 5444d7f336be1609f9430b05104ce17193e0bb611526f0e9932935c547304437
                      • Opcode Fuzzy Hash: 987999cfbcf7d6671b8475fff7b20d55673a2537e80e11dd4ca558e00a7a3a98
                      • Instruction Fuzzy Hash: 5651A430C04289EEEB12DBE8D8097EDBFB89F16314F144189E660EE2C1D7B5474ACB61
                      Function 00A92F61 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A92A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00A92AC0
                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00A92DA5,?,00000000,?,00000000,?), ref: 00A92FC2
                      • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A92DA5,?,00000000,?,00000000,?), ref: 00A92FFE
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: CodeInfoPageValid
                      • String ID:
                      • API String ID: 546120528-0
                      • Opcode ID: 57a3539df1cdfad2f2e2443bee0493be4873b087386a2011657280bc99b7b526
                      • Instruction ID: 78536a93d3ce1fcf75dff74348e567cb3a7010b880d3c1e140bb742d68b2bcdc
                      • Opcode Fuzzy Hash: 57a3539df1cdfad2f2e2443bee0493be4873b087386a2011657280bc99b7b526
                      • Instruction Fuzzy Hash: 12513176B00345AEDF21CF7AC885AAFBBF4EF41300F14856ED0868B251E7759A06CB91
                      Function 03CD3536 Relevance: 2.5, APIs: 2, Instructions: 8memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000000,03CD264F), ref: 03CD353D
                      • HeapFree.KERNEL32(00000000), ref: 03CD3544
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$FreeProcess
                      • String ID:
                      • API String ID: 3859560861-0
                      • Opcode ID: a92c6f957bb92bc82229f2ea52ae7071ee54eb1a8971ebef09a9fc1a3c2172ee
                      • Instruction ID: cfff450146e62d9b00979227b290fc94bf99ace31c0ff3a20f112ed4e0d0bcef
                      • Opcode Fuzzy Hash: a92c6f957bb92bc82229f2ea52ae7071ee54eb1a8971ebef09a9fc1a3c2172ee
                      • Instruction Fuzzy Hash: 32B092745021006AEE887BA0A90DB3A3618AB00603F04008CB202D50849678A9208621
                      Function 00A92B69 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,00A92DA5,?), ref: 00A92B9B
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Info
                      • String ID:
                      • API String ID: 1807457897-0
                      • Opcode ID: 2d06e90ef91500d42e2592a6a34b279d1c40ab52632996a79803961763ca5a74
                      • Instruction ID: 0416ca37fe818351c98b47e39327c4bb53448a7156aec3a01ac10b34d08bd9ac
                      • Opcode Fuzzy Hash: 2d06e90ef91500d42e2592a6a34b279d1c40ab52632996a79803961763ca5a74
                      • Instruction Fuzzy Hash: B65138B1A08158BADF118F28CD84BEABBFCFB15304F1401E9E599D7182D3359D85DB60
                      Function 00A7FB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00A8037B
                        • Part of subcall function 00A8106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A8038E,?,?,?,?,00A8038E,?,00AA8484), ref: 00A810CC
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ExceptionRaisestdext::threads::lock_error::lock_error
                      • String ID:
                      • API String ID: 3447279179-0
                      • Opcode ID: a52489d87e1c2c9fee6b703c9339338edf694ac5027479113da7a214c0fc327a
                      • Instruction ID: e03f7ddc5117ab7bc53348fb516f674dd4cc3be26103f59c4cc036f88e3c437c
                      • Opcode Fuzzy Hash: a52489d87e1c2c9fee6b703c9339338edf694ac5027479113da7a214c0fc327a
                      • Instruction Fuzzy Hash: 22F0B43580030DBBCB04BAB4ED1ADAD777CAA04350F60C530B968A60D2EF34EA498295
                      Function 00A21460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::cancel_current_task.LIBCPMTD ref: 00A21477
                        • Part of subcall function 00A33D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00A33D89
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
                      • String ID:
                      • API String ID: 2103942186-0
                      • Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                      • Instruction ID: a3be121e11af1886dbb2ad6fb47fbeb678018139b4a6b1d803d49b048fddd917
                      • Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                      • Instruction Fuzzy Hash: D6F019B5D01108ABCB14EFA8E6816AEB7B1AF58304F10C1B9E8099B345E630AF508B81
                      Function 00A8E1D3 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00A8EED2,?,?,-00000008,?,00000000), ref: 00A8E225
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: String
                      • String ID:
                      • API String ID: 2568140703-0
                      • Opcode ID: 0b8063070de6d5279f20e635212540f853688132dde259a9530987654f7397dc
                      • Instruction ID: 8c05f2426ad6f56333ecd9980f74edb9b8a2826b4d7b23b77ecb478ac16c93d1
                      • Opcode Fuzzy Hash: 0b8063070de6d5279f20e635212540f853688132dde259a9530987654f7397dc
                      • Instruction Fuzzy Hash: 88F0683250011AFBCF12AF94DC05DDE7F2AFB48760F058515FA1826020DA32D832AB90
                      Function 00A57B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?,00000007,?,?), ref: 00A34B9E
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 24d2f882f2f73bb6acfbab9831556a5d06011cddee88d6195ce90b674ae05608
                      • Instruction ID: f0f78f73790c81174aea2883973c769b94d63ec09e04bd5108ff8b8bdc4f0524
                      • Opcode Fuzzy Hash: 24d2f882f2f73bb6acfbab9831556a5d06011cddee88d6195ce90b674ae05608
                      • Instruction Fuzzy Hash: 16D012B6A2410987CB20DFACAC483A27778F705316B14118EE95847153DB3255168F50
                      Function 00A213B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: allocator
                      • String ID:
                      • API String ID: 3447690668-0
                      • Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                      • Instruction ID: 53bd8adc14960adb69df2955be6845f7e885d6fe758c4a0d484e91c9843b3fad
                      • Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                      • Instruction Fuzzy Hash: C1C09B3011410C5B8704DF88E491D55739D9B8C710B004155BC0D4B351CA30FD40C554
                      Function 03CD407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(016200F8,03CD1035,016200F8,?), ref: 03CD407E
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 2a79be9e7f20f5a87746e953b434d7582fb0066a856bf4533d0c1a4167f0d36a
                      • Instruction ID: 10fa164ed4a7265a98516f86dc4453ea5c7f754839bc6f15883501659bd97098
                      • Opcode Fuzzy Hash: 2a79be9e7f20f5a87746e953b434d7582fb0066a856bf4533d0c1a4167f0d36a
                      • Instruction Fuzzy Hash: FFA022380302008BCA2C2B302B2A30E30000E0A2F03220B8CB033C80C0EA38CAA00000
                      Function 00A47EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00A38B81
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: e958405a7abae943b2f04a885e73f353a778afa5b8bb6bc1f6f3a8fd0204756f
                      • Instruction ID: de171e469d9fcef813a4150f3984bd26d9c36975cf16bca5bd9bd4ed38f2f962
                      • Opcode Fuzzy Hash: e958405a7abae943b2f04a885e73f353a778afa5b8bb6bc1f6f3a8fd0204756f
                      • Instruction Fuzzy Hash: 7221E9B1D05A28CBDB62CF24C9817ADF7B5AF51340F1092C6E40D66202DB385BC5DF10
                      Function 00A8AC15 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • HeapAlloc.KERNEL32(00000000,00000000,?,?,00A7FB1F,00000000,?,00A3322C,00000000,?,00A213A5,00000000), ref: 00A8AC47
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: AllocHeap
                      • String ID:
                      • API String ID: 4292702814-0
                      • Opcode ID: f1f68d8ab443dbef5fe727756e7324d57703eeb292e4658b59b8110878ba90f9
                      • Instruction ID: 5d2b38af12479431d61f63d0d63c2ef5ca7a9cfe9048800161577554ead69ae4
                      • Opcode Fuzzy Hash: f1f68d8ab443dbef5fe727756e7324d57703eeb292e4658b59b8110878ba90f9
                      • Instruction Fuzzy Hash: 5CE0E571204A1567F7313BF59D0079F3A98AF223A0F180123FC05962D0EB60CC00C3A2

                      Non-executed Functions

                      Function 00A95458 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(?,2000000B,00A9576A,00000002,00000000,?,?,?,00A9576A,?,00000000), ref: 00A954F1
                      • GetLocaleInfoW.KERNEL32(?,20001004,00A9576A,00000002,00000000,?,?,?,00A9576A,?,00000000), ref: 00A9551A
                      • GetACP.KERNEL32(?,?,00A9576A,?,00000000), ref: 00A9552F
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID: ACP$OCP
                      • API String ID: 2299586839-711371036
                      • Opcode ID: 8e3d0ee21c687e95a4b37a15e9c732cd6acc9c9b5798508490e2051368c464a7
                      • Instruction ID: 8f849b32c1c92c7223050f91694ce8ea67f3683e6cf2ae0633a013699ed47ed7
                      • Opcode Fuzzy Hash: 8e3d0ee21c687e95a4b37a15e9c732cd6acc9c9b5798508490e2051368c464a7
                      • Instruction Fuzzy Hash: 2521A172F00901AADF728F74D907A9773F7AB90B61B668465E90AC7105FB32EE81C750
                      Function 00A95634 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00A9573C
                      • IsValidCodePage.KERNEL32(00000000), ref: 00A9577A
                      • IsValidLocale.KERNEL32(?,00000001), ref: 00A9578D
                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00A957D5
                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00A957F0
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                      • String ID:
                      • API String ID: 415426439-0
                      • Opcode ID: 58b5b22ba4400b8f10b2307c302b5a9c1d7e881f862242c4b8e632d9061f1b2f
                      • Instruction ID: 99703d0aff977c77b3555e66ff26c2e5dece390b10edbd6a0569bd36d1d88499
                      • Opcode Fuzzy Hash: 58b5b22ba4400b8f10b2307c302b5a9c1d7e881f862242c4b8e632d9061f1b2f
                      • Instruction Fuzzy Hash: FA516071F10A09ABEF12DFB4CD86AAE77F8BF48700F544429E914E7191EB709A418B61
                      Function 00A94CBF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • GetACP.KERNEL32(?,?,?,?,?,?,00A889B1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00A94D7E
                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00A889B1,?,?,?,00000055,?,-00000050,?,?), ref: 00A94DB5
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00A94F18
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLast$CodeInfoLocalePageValid
                      • String ID: utf8
                      • API String ID: 607553120-905460609
                      • Opcode ID: 70d1ff613ef3f878a1579fd59e84518477e7129b6c5526b2248c1fd7a46fff11
                      • Instruction ID: 0390b2ecee7bca4fc92cc9419262dd3655f4b4afbf8103401cb64378492ee487
                      • Opcode Fuzzy Hash: 70d1ff613ef3f878a1579fd59e84518477e7129b6c5526b2248c1fd7a46fff11
                      • Instruction Fuzzy Hash: CB71EF35B00206AAEF25AB75DD42FAB73E8EF49704F11042AFA15DB181EA74ED428761
                      Function 00A80495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A804A1
                      • IsDebuggerPresent.KERNEL32 ref: 00A8056D
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A80586
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00A80590
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: 761c1b1d5993146cf1ba1f459ef2863d865372ed4ccc8ce06285a86df5f6fd33
                      • Instruction ID: ab029372d9bcce5091fa340721fdf0045138f784adb30e39e71b2a37da3cd1d7
                      • Opcode Fuzzy Hash: 761c1b1d5993146cf1ba1f459ef2863d865372ed4ccc8ce06285a86df5f6fd33
                      • Instruction Fuzzy Hash: 8B31EA75D01218DBDF61EFA4DD49BCEBBB8AF08300F1041AAE50DAB250EB719A85CF45
                      Function 00A950DC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A95130
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A9517A
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A95240
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: InfoLocale$ErrorLast
                      • String ID:
                      • API String ID: 661929714-0
                      • Opcode ID: 40e5050f095480dabb88cda5b0f5a132d06486a1a39b643352169d749e3634e0
                      • Instruction ID: c6d0efbfccfa60f2dd707d8b917810614360d976cdd3f31f460f13bb71431f31
                      • Opcode Fuzzy Hash: 40e5050f095480dabb88cda5b0f5a132d06486a1a39b643352169d749e3634e0
                      • Instruction Fuzzy Hash: A6618E71E106179BEF2A9F38CD83BAA77E8EF14340F20416AE905CA185F774D991CB50
                      Function 00A84383 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00A8447B
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A84485
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00A84492
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: 0ebce31baf82477e2abb4dc2025c987639326acbd8890d307334c841d9b781f6
                      • Instruction ID: e15a73a05bab8900d1351e7f2c7b8b0aaf98084aff58caec90cc248d50afc61e
                      • Opcode Fuzzy Hash: 0ebce31baf82477e2abb4dc2025c987639326acbd8890d307334c841d9b781f6
                      • Instruction Fuzzy Hash: 9631C475901319ABCB61EF68DD89B8DBBB8BF18311F5041EAE41CA6250EB709B858F44
                      Function 00A8013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A80152
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: b486cc25d2173e878e22178fa24f9a7cae08efbd85a90194608fe553fb53d902
                      • Instruction ID: 2ccf5bdcd106e7aba58ca1d9d7a4427322bea1b041f629e57998668ce38d93dc
                      • Opcode Fuzzy Hash: b486cc25d2173e878e22178fa24f9a7cae08efbd85a90194608fe553fb53d902
                      • Instruction Fuzzy Hash: 1D519FB1E11206CFEB55CFA4D885BAEBBF4FB48310F24812AD505EB292E3759D45CB60
                      Function 00A9532F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A95383
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLast$InfoLocale
                      • String ID:
                      • API String ID: 3736152602-0
                      • Opcode ID: 5c9075957b75337c5bfba8348779715564690a5019568f989f3eb3f48964d786
                      • Instruction ID: 744f613ee6a19ad23e8d0e3ce186d2af99d01a46196f6eb54aa0989205d22be5
                      • Opcode Fuzzy Hash: 5c9075957b75337c5bfba8348779715564690a5019568f989f3eb3f48964d786
                      • Instruction Fuzzy Hash: D021B032B10606ABEF29AB25DD52ABB33F8EF44350B10407AF901CA141EBB8ED45CB50
                      Function 00A94FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • EnumSystemLocalesW.KERNEL32(00A950DC,00000001,00000000,?,-00000050,?,00A95710,00000000,?,?,?,00000055,?), ref: 00A95028
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem
                      • String ID:
                      • API String ID: 2417226690-0
                      • Opcode ID: 568ea0525c16907904224ce7fa4635b049b3f2abc1f8aac9de06dee86a03cd9a
                      • Instruction ID: 37449d100e089721f02bc477bb9f04e4afef55ddd6af05c8f10d02b4320393e4
                      • Opcode Fuzzy Hash: 568ea0525c16907904224ce7fa4635b049b3f2abc1f8aac9de06dee86a03cd9a
                      • Instruction Fuzzy Hash: CD1129377007059FDF189F39C89157ABBD1FF84358B14442DE94647640D7716843C740
                      Function 00A9555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A952F8,00000000,00000000,?), ref: 00A9558A
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLast$InfoLocale
                      • String ID:
                      • API String ID: 3736152602-0
                      • Opcode ID: ff66c527546e4b491b73baa6ff343d17ff0ac00a06601fea71dcc45451071b94
                      • Instruction ID: 36300ee6d07c62d8d23079f33b316ff5f770959d3da544bfb2cf78632d36121c
                      • Opcode Fuzzy Hash: ff66c527546e4b491b73baa6ff343d17ff0ac00a06601fea71dcc45451071b94
                      • Instruction Fuzzy Hash: 6301A232B00612ABDF299B34C806ABB37E5EB41754F164429EC06A3181EA24FE41C790
                      Function 00A95051 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • EnumSystemLocalesW.KERNEL32(00A9532F,00000001,00000000,?,-00000050,?,00A956D8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00A9509B
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem
                      • String ID:
                      • API String ID: 2417226690-0
                      • Opcode ID: 417506e1e2e1fda66d0e459e154c0cd812f8ed2abba94c2f16bb5e19a60ce77f
                      • Instruction ID: f793f22fd40149e01f273a6716df7d4ead9911a27d5debc0c1937a2dba8a4760
                      • Opcode Fuzzy Hash: 417506e1e2e1fda66d0e459e154c0cd812f8ed2abba94c2f16bb5e19a60ce77f
                      • Instruction Fuzzy Hash: B9F0F636700B046FDF256F399892A7B7BE1EF80368F05442DF9464B680D6B19C42C790
                      Function 00A8DBC7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A849CA: EnterCriticalSection.KERNEL32(-00AAB8A8,?,00A876D7,00000000,00AA8C40,0000000C,00A8769F,?,?,00A8DB90,?,?,00A8AA8E,00000001,00000364,00000000), ref: 00A849D9
                      • EnumSystemLocalesW.KERNEL32(00A8DBBA,00000001,00AA8E30,0000000C,00A8DF92,00000000), ref: 00A8DBFF
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: CriticalEnterEnumLocalesSectionSystem
                      • String ID:
                      • API String ID: 1272433827-0
                      • Opcode ID: 4ef9449880b418c9c9c2704ef7607c27aa4735c63e6e41fee119dc864fbf075e
                      • Instruction ID: ab4904efd5c27410c2285e604e3e4ea27f8b80eb1fb5bae59632f3e1efafe28a
                      • Opcode Fuzzy Hash: 4ef9449880b418c9c9c2704ef7607c27aa4735c63e6e41fee119dc864fbf075e
                      • Instruction Fuzzy Hash: 16F04972A10305EFD710EF98E902B9EB7F0FB09720F10412AF4149B2E1DBB99901CB50
                      Function 00A94F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A8A8F0: GetLastError.KERNEL32(?,?,00A871B7,?,?,?,?,00000003,00A84382,?,00A842F1,?,00000000,00A84500), ref: 00A8A8F4
                        • Part of subcall function 00A8A8F0: SetLastError.KERNEL32(00000000,00000000,00A84500,?,?,?,?,?,00000000,?,?,00A8459E,00000000,00000000,00000000,00000000), ref: 00A8A996
                      • EnumSystemLocalesW.KERNEL32(00A94EC4,00000001,00000000,?,?,00A95732,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00A94FA2
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem
                      • String ID:
                      • API String ID: 2417226690-0
                      • Opcode ID: e3f105cffc3aaf5ac904fd73a3b5d422700897bf61c4ed543bf8c52fbb264c2e
                      • Instruction ID: 059f38931d698f0078ec9f78efdd088af70d51c0d972aa7de1e297dc39a6890b
                      • Opcode Fuzzy Hash: e3f105cffc3aaf5ac904fd73a3b5d422700897bf61c4ed543bf8c52fbb264c2e
                      • Instruction Fuzzy Hash: 5FF0E5367002466BCF14EF39D845A6ABFE4FFC5B10F064059EE098B691C6759883C7A0
                      Function 00A8E096 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00A89527,?,20001004,00000000,00000002,?,?,00A88B19), ref: 00A8E0CA
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: 220ee1ccbb7815f8b322ae3906f7fd4f826caebe161916a22c9f35d0300c65fe
                      • Instruction ID: 278f8d747aa32b998ff62de8c9d55a716b9ed7e298cd15ed1ec368e5466eb7e2
                      • Opcode Fuzzy Hash: 220ee1ccbb7815f8b322ae3906f7fd4f826caebe161916a22c9f35d0300c65fe
                      • Instruction Fuzzy Hash: FBE01A31640228BBCF12BFA5DD04BAE3F2ABB44760F144415FC09662618B719921EB95
                      Function 00A80622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,00A7FC56), ref: 00A80627
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 49fb2bc1f2d394b095aff5ce14f1716ef29e85bffa3809c99f7e20991ec05fe6
                      • Instruction ID: d7709e2513c2f694629af859db03ec9a2ee731b34bf24a3fe54072e0b863a089
                      • Opcode Fuzzy Hash: 49fb2bc1f2d394b095aff5ce14f1716ef29e85bffa3809c99f7e20991ec05fe6
                      • Instruction Fuzzy Hash:
                      Function 00A95891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 8132c457bfeda6302c13e3631631f5bf37e8e3f0172011f4be22e1ad4d7c19bc
                      • Instruction ID: 9148a64033259354004bd09ba542542540fd664fe8cf855ebaea25f829f53785
                      • Opcode Fuzzy Hash: 8132c457bfeda6302c13e3631631f5bf37e8e3f0172011f4be22e1ad4d7c19bc
                      • Instruction Fuzzy Hash: AEA00270611106DF5740CF755F0920D36E97545591B1541595405C5171DF2584519A11
                      Function 03CD42EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,03CD4574), ref: 03CD4305
                      • GetProcAddress.KERNEL32(00000000,?,?,?,?,03CD4574), ref: 03CD430E
                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03CD4574), ref: 03CD431F
                      • GetProcAddress.KERNEL32(00000000,?,?,?,?,03CD4574), ref: 03CD4322
                        • Part of subcall function 03CD3508: EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                        • Part of subcall function 03CD3508: GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                        • Part of subcall function 03CD3508: HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                        • Part of subcall function 03CD3508: LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                      • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03CD4574), ref: 03CD43A4
                      • GetCurrentProcess.KERNEL32(03CD4574,00000000,00000000,00000002,?,?,?,?,03CD4574), ref: 03CD43C0
                      • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03CD4574), ref: 03CD43CF
                      • CloseHandle.KERNEL32(03CD4574,?,?,?,?,03CD4574), ref: 03CD43FF
                      • GetCurrentProcess.KERNEL32(03CD4574,00000000,00000000,00000001,?,?,?,?,03CD4574), ref: 03CD440D
                      • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03CD4574), ref: 03CD441C
                      • CloseHandle.KERNEL32(?,?,?,?,?,03CD4574), ref: 03CD442F
                      • CloseHandle.KERNEL32(000000FF), ref: 03CD4452
                      • CloseHandle.KERNEL32(?), ref: 03CD445A
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocEnterLeaveOpen
                      • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                      • API String ID: 4050662462-2044536123
                      • Opcode ID: d4ac80ca37916998a1267ff74df3e7119af763aae9e8822b9a5a2b3785e18809
                      • Instruction ID: 2f64d01780cfeaf4f02b2fba161e8da330bc1ac0b4e7131f21a1ba0541bcdd39
                      • Opcode Fuzzy Hash: d4ac80ca37916998a1267ff74df3e7119af763aae9e8822b9a5a2b3785e18809
                      • Instruction Fuzzy Hash: 46419071A00219ABDB14EFE69C84AAFBBB9EF44610F194065FB14E7190DB70DE50DBA0
                      Function 00A23930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                      • String ID: bad locale name
                      • API String ID: 3904239083-1405518554
                      • Opcode ID: 13e2af16e7dccf597956c62a49910896a5b60d3ce30bbc63f5532ffa34b73da1
                      • Instruction ID: 94ae57ab1efcd7a7ad183afe1fd176de2122a90ae63e936e1f5b988d64277c98
                      • Opcode Fuzzy Hash: 13e2af16e7dccf597956c62a49910896a5b60d3ce30bbc63f5532ffa34b73da1
                      • Instruction Fuzzy Hash: 672190B0904259EBCF08EB9CDE51BBEBB70BF45308F14856CE4122B782CB755A10CB62
                      Function 03CD2991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: __aulldvrm
                      • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                      • API String ID: 1302938615-1267642376
                      • Opcode ID: e4281c8d3e67355536038f440597d2f5873e15b5057488eaf7f0d35c9fc69c16
                      • Instruction ID: a7b954af62fb77518a9871939575e333e49f41472f4e645c662b5f7560ae9f7f
                      • Opcode Fuzzy Hash: e4281c8d3e67355536038f440597d2f5873e15b5057488eaf7f0d35c9fc69c16
                      • Instruction Fuzzy Hash: 31917C706047029FDB25CF29C48062AFBE5EF85244F184D6EF6DACB651DBB0EA81CB51
                      Function 00A832E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • type_info::operator==.LIBVCRUNTIME ref: 00A83400
                      • ___TypeMatch.LIBVCRUNTIME ref: 00A8350E
                      • _UnwindNestedFrames.LIBCMT ref: 00A83660
                      • CallUnexpected.LIBVCRUNTIME ref: 00A8367B
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2751267872-393685449
                      • Opcode ID: d4e16f05b65ea6c880a657a36ad6d991202bf812c5095d5ca0b11f67f1a55ef6
                      • Instruction ID: 146e9604f63adc59fe39be8fd8929727295cbc84509c2634f24fbcac032efee8
                      • Opcode Fuzzy Hash: d4e16f05b65ea6c880a657a36ad6d991202bf812c5095d5ca0b11f67f1a55ef6
                      • Instruction Fuzzy Hash: 86B15A72800209EFCF19EFA8C9819AEBBB5FF18B10B144569E8116B212D731DF61CF91
                      Function 00A91338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID: 0-3907804496
                      • Opcode ID: bfd52b0cc1316a9ce92a93469f90be3cb580d30a1f6550480f8c1c8ea363f060
                      • Instruction ID: 77a1f6d983862c589bb88dde33d3df22fc88753f20959f77d553f34d61f21389
                      • Opcode Fuzzy Hash: bfd52b0cc1316a9ce92a93469f90be3cb580d30a1f6550480f8c1c8ea363f060
                      • Instruction Fuzzy Hash: 41B1F370F0424AAFDF11EFA9C991BAE7FF5AF89350F194158E5019B292C7709D42CB60
                      Function 03CD1F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                      Download Yara Rule
                      APIs
                      • GetUserDefaultUILanguage.KERNEL32 ref: 03CD1F90
                      • GetKeyboardLayoutList.USER32(00000032,?), ref: 03CD1FF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: DefaultKeyboardLanguageLayoutListUser
                      • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                      • API String ID: 167087913-619012376
                      • Opcode ID: 8898c77d4180dba594cf5c5165556ee464d53ffcc304f9f7c77091f463e9819c
                      • Instruction ID: 529360e2f4899b07fd3496d42173a327cc7700462e02ee01ca9f7d27940ffa74
                      • Opcode Fuzzy Hash: 8898c77d4180dba594cf5c5165556ee464d53ffcc304f9f7c77091f463e9819c
                      • Instruction Fuzzy Hash: F831B164E08298AADB419FE4A4017FDBB70AF14305F00549AF688FA282E7794B45D76A
                      Function 00A8DD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,B35EB3F9,?,00A8DEA3,00000000,00A213A5,00000000,00000000), ref: 00A8DE55
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID: api-ms-$ext-ms-
                      • API String ID: 3664257935-537541572
                      • Opcode ID: 48804968997ddd21206a0bbac05e93ddbadb21f1f07f249cada8bc38a602bdab
                      • Instruction ID: 57fed907c6574ef888897fd2e4c92fe1118191f2d94ae8c129c7cbfb98ffa8f7
                      • Opcode Fuzzy Hash: 48804968997ddd21206a0bbac05e93ddbadb21f1f07f249cada8bc38a602bdab
                      • Instruction Fuzzy Hash: 1621E432B01211BBDB21FBA4DC45AAB3769EB527A0F240115F916AF2D1DB30ED01C7E0
                      Function 00A7E516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00A7E51D
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00A7E527
                      • int.LIBCPMTD ref: 00A7E53E
                        • Part of subcall function 00A246D0: std::_Lockit::_Lockit.LIBCPMT ref: 00A246E6
                        • Part of subcall function 00A246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00A24710
                      • codecvt.LIBCPMT ref: 00A7E561
                      • std::_Facet_Register.LIBCPMT ref: 00A7E578
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00A7E598
                      • Concurrency::cancel_current_task.LIBCPMTD ref: 00A7E5A5
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                      • String ID:
                      • API String ID: 2133458128-0
                      • Opcode ID: f087e5b103552ce373ce13a28519a399b71798695b35fb5b07929ad9e5c2bd0b
                      • Instruction ID: 6ff426dd97050bae674c3f85f5c589bc6b997afb025d16e194362c67b9c8d248
                      • Opcode Fuzzy Hash: f087e5b103552ce373ce13a28519a399b71798695b35fb5b07929ad9e5c2bd0b
                      • Instruction Fuzzy Hash: 7611E472A102199FCB10EBA8DD467AE77B5BF88320F10850DF4099B281EFB49E018B90
                      Function 00A7D7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00A7D7AF
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00A7D7B9
                      • int.LIBCPMTD ref: 00A7D7D0
                        • Part of subcall function 00A246D0: std::_Lockit::_Lockit.LIBCPMT ref: 00A246E6
                        • Part of subcall function 00A246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00A24710
                      • codecvt.LIBCPMT ref: 00A7D7F3
                      • std::_Facet_Register.LIBCPMT ref: 00A7D80A
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00A7D82A
                      • Concurrency::cancel_current_task.LIBCPMTD ref: 00A7D837
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                      • String ID:
                      • API String ID: 2133458128-0
                      • Opcode ID: 1f2cae09f6cae387f4a3c7c5a415a3487e0f491656ac1815ec272bc789c2819e
                      • Instruction ID: d2af82807a43eeda4337e703b1766f85a2190a622901e9ef7b5c18a0812098a1
                      • Opcode Fuzzy Hash: 1f2cae09f6cae387f4a3c7c5a415a3487e0f491656ac1815ec272bc789c2819e
                      • Instruction Fuzzy Hash: DB01C4759001169BCB04EBA4DE41AAE7771BF84320F24810DF4156B291CF789A05C7D1
                      Function 00A7F8DE Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00A7F927
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00A7F992
                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A7F9AF
                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A7F9EE
                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A7FA4D
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A7FA70
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ByteCharMultiStringWide
                      • String ID:
                      • API String ID: 2829165498-0
                      • Opcode ID: 1b4e842e60adcc3e9931b3b71e746cc83688c0de1dff6abb492bd8169ddc6d2d
                      • Instruction ID: a1ee04555f53f000da52357eb070350752b99a25c47ab0745859c03d0a66c87b
                      • Opcode Fuzzy Hash: 1b4e842e60adcc3e9931b3b71e746cc83688c0de1dff6abb492bd8169ddc6d2d
                      • Instruction Fuzzy Hash: 35517B72A0020ABFEF219FA4CC45FAB7BB9EB44790F14C529F91DA6150DB748A11CB60
                      Function 03CD3084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: x
                      • API String ID: 0-2363233923
                      • Opcode ID: 0f5c6de11b95a8a74b7e562c3f64d376e0fbb4b5d7f39440b7c323e9dba4ef53
                      • Instruction ID: 1fd15ba1b90b4ff0cf58d797a643994460ed9cf4a086800f40b4abcec225a7ae
                      • Opcode Fuzzy Hash: 0f5c6de11b95a8a74b7e562c3f64d376e0fbb4b5d7f39440b7c323e9dba4ef53
                      • Instruction Fuzzy Hash: 8A02B078E00289EFCB41DF99D984AADBBF4FF09304F048456E966EB250D774AA11CF52
                      Function 00A82FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00A82FA1,00A816DC,00A80672), ref: 00A82FB8
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A82FC6
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A82FDF
                      • SetLastError.KERNEL32(00000000,00A82FA1,00A816DC,00A80672), ref: 00A83031
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: da32ba3dd1cef52abc480460fb95b943bf2d6eaa146e9002595538c9378ec44c
                      • Instruction ID: 3859a8f09e7658838b21ac632e59465aea121531ca1b51f99ceff16c4988f027
                      • Opcode Fuzzy Hash: da32ba3dd1cef52abc480460fb95b943bf2d6eaa146e9002595538c9378ec44c
                      • Instruction Fuzzy Hash: 8901D8332093236DBF257BF87E8572B26A5EB66B70720432AF210550E0EF514C11D341
                      Function 00A880CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B35EB3F9,?,?,00000000,00A98AEC,000000FF,?,00A880A8,?,?,00A8807C,00000000), ref: 00A88101
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00000000,00A98AEC,000000FF,?,00A880A8,?,?,00A8807C,00000000), ref: 00A88113
                      • FreeLibrary.KERNEL32(00000000,?,00000000,00A98AEC,000000FF,?,00A880A8,?,?,00A8807C,00000000), ref: 00A88135
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 807c19dc97ee108cdf2dba2740ece188790d39f9382801ad452ef95b9fbd858f
                      • Instruction ID: e20e1f1de7e63c768568e39832ccf90bc9d81ae678e458a457689f5668d615b9
                      • Opcode Fuzzy Hash: 807c19dc97ee108cdf2dba2740ece188790d39f9382801ad452ef95b9fbd858f
                      • Instruction Fuzzy Hash: 0C014471610525FBDB11DB95DC09BAFBBB9FB09711F00062AE811A2290DF799901CB60
                      Function 00A21E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00A21E40
                      • int.LIBCPMTD ref: 00A21E59
                        • Part of subcall function 00A246D0: std::_Lockit::_Lockit.LIBCPMT ref: 00A246E6
                        • Part of subcall function 00A246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00A24710
                      • Concurrency::cancel_current_task.LIBCPMTD ref: 00A21E99
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00A21F01
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                      • String ID:
                      • API String ID: 3053331623-0
                      • Opcode ID: 5924a87a05ef14222392b21529ac8722ea295dcb817fcf668941a12e52c00fec
                      • Instruction ID: 0684f89f9ce9da0458614a01ce82e08ec9ba080f06dba04fa579681a96c65157
                      • Opcode Fuzzy Hash: 5924a87a05ef14222392b21529ac8722ea295dcb817fcf668941a12e52c00fec
                      • Instruction Fuzzy Hash: 37311EB5D00259DFCB04DF98D991BFEBBB0BF58310F208629E91567391DB345A44CBA1
                      Function 00A21F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00A21F40
                      • int.LIBCPMTD ref: 00A21F59
                        • Part of subcall function 00A246D0: std::_Lockit::_Lockit.LIBCPMT ref: 00A246E6
                        • Part of subcall function 00A246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00A24710
                      • Concurrency::cancel_current_task.LIBCPMTD ref: 00A21F99
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00A22001
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                      • String ID:
                      • API String ID: 3053331623-0
                      • Opcode ID: f6cebbbb08a938848ac92a800077caf415d48f72c5e91f4ff0fdfb8080f41bc3
                      • Instruction ID: 3f7843e57a0df8c91ad25ba5b82f11de839cfdf559ac5d44e5bea17341533d9b
                      • Opcode Fuzzy Hash: f6cebbbb08a938848ac92a800077caf415d48f72c5e91f4ff0fdfb8080f41bc3
                      • Instruction Fuzzy Hash: 0C314FB1D04219DFCB04DF98DA81BEEB7B0BF58310F208629E425673D1DB345A44CBA1
                      Function 00A7CE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 00A7CE44
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00A7CE4F
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00A7CEBD
                        • Part of subcall function 00A7CFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A7CFB8
                      • std::locale::_Setgloballocale.LIBCPMT ref: 00A7CE6A
                      • _Yarn.LIBCPMT ref: 00A7CE80
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                      • String ID:
                      • API String ID: 1088826258-0
                      • Opcode ID: f26e8b565f3b19de687e979d4ff15d69df9518b0acf74da2f3a5330451a78000
                      • Instruction ID: 5970907fb24472d3279e49cb889e01d4d0ac65471f1aa76bd494306b64b4ec2a
                      • Opcode Fuzzy Hash: f26e8b565f3b19de687e979d4ff15d69df9518b0acf74da2f3a5330451a78000
                      • Instruction Fuzzy Hash: 3F01FC76A002119BCB06EB60DD5597E3BA2FF89320B14800DE80607382CF786E06CBC0
                      Function 00A84072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A84023,00000000,?,00AAB824,?,?,?,00A841C6,00000004,InitializeCriticalSectionEx,00A9B270,InitializeCriticalSectionEx), ref: 00A8407F
                      • GetLastError.KERNEL32(?,00A84023,00000000,?,00AAB824,?,?,?,00A841C6,00000004,InitializeCriticalSectionEx,00A9B270,InitializeCriticalSectionEx,00000000,?,00A83F7D), ref: 00A84089
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A840B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID: api-ms-
                      • API String ID: 3177248105-2084034818
                      • Opcode ID: da2f4eeca3e0dd41ac33353cdca4f55f10c6652310652ef48acb230b8c4baed9
                      • Instruction ID: 3792fe25860dfd60ccc670794df0918791900ac1e27b71fce102742bc22a3295
                      • Opcode Fuzzy Hash: da2f4eeca3e0dd41ac33353cdca4f55f10c6652310652ef48acb230b8c4baed9
                      • Instruction Fuzzy Hash: 4DE04830780205BBEF203BA1ED06B9A3BA49B10B54F104025FE0CE84E1DB66D8519AD5
                      Function 00A8F497 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(B35EB3F9,00000000,00000000,00000000), ref: 00A8F4FA
                        • Part of subcall function 00A91EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A8EF8D,?,00000000,-00000008), ref: 00A91F1E
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A8F74C
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A8F792
                      • GetLastError.KERNEL32 ref: 00A8F835
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                      • String ID:
                      • API String ID: 2112829910-0
                      • Opcode ID: 5a64e439c09c6a9a42bab02ebd0ce05548bd00e8f0786cf0c4c4a4c81414e580
                      • Instruction ID: 2c2b0ceeb8883ce957864a544dbd8e4fe8e1583ec1763abb8ebda2fb872f0057
                      • Opcode Fuzzy Hash: 5a64e439c09c6a9a42bab02ebd0ce05548bd00e8f0786cf0c4c4a4c81414e580
                      • Instruction Fuzzy Hash: 56D17C75D0024A9FDF15DFE8D8809ADBBB5FF09310F24452AE866EB255E730A942CB60
                      Function 00A8308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 33af9271c7d27f3cb1b0e6d0046ef9bfc2ee0330f97955297133b34163ee8e54
                      • Instruction ID: 9e7652e90fedcb52321722a533b0fb24806fe2ed05517e84abe5daec485ebf89
                      • Opcode Fuzzy Hash: 33af9271c7d27f3cb1b0e6d0046ef9bfc2ee0330f97955297133b34163ee8e54
                      • Instruction Fuzzy Hash: 2D51D173604206AFDF28AF14C949BAAB7B5FF40F00F144629EC4647291E771EE82C790
                      Function 00A9227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00A91EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A8EF8D,?,00000000,-00000008), ref: 00A91F1E
                      • GetLastError.KERNEL32 ref: 00A922DE
                      • __dosmaperr.LIBCMT ref: 00A922E5
                      • GetLastError.KERNEL32(?,?,?,?), ref: 00A9231F
                      • __dosmaperr.LIBCMT ref: 00A92326
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                      • String ID:
                      • API String ID: 1913693674-0
                      • Opcode ID: 2a4ab2433af0f80c5a4f069b23e995017e49d9398589ac3e94577375b75d19ef
                      • Instruction ID: 9dcf4d81527dbba0ad852be724d82a2ca64f46384a16ec0f11be076fa6fea954
                      • Opcode Fuzzy Hash: 2a4ab2433af0f80c5a4f069b23e995017e49d9398589ac3e94577375b75d19ef
                      • Instruction Fuzzy Hash: DB21D431700605BFDF24AF758981A6BBBF9FF443647108919F819CB641DB75ED018BA0
                      Function 00A87478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 91ec4d91c41f6178449ea965137c490fbe2d2bfe987151c8f8fe2f491a1f863e
                      • Instruction ID: bdedc37cb99f24d8e723dc7afb886f314a68a5abe6ec94c7ff45731f8264d561
                      • Opcode Fuzzy Hash: 91ec4d91c41f6178449ea965137c490fbe2d2bfe987151c8f8fe2f491a1f863e
                      • Instruction Fuzzy Hash: 4E21C371608605AFDB28FF75DD4092FBBA9EF413647308519F815CB150EB71ED1087A0
                      Function 00A9321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 00A93226
                        • Part of subcall function 00A91EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A8EF8D,?,00000000,-00000008), ref: 00A91F1E
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A9325E
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A9327E
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                      • String ID:
                      • API String ID: 158306478-0
                      • Opcode ID: 497243bce212f9753e023d8910a708d7c2364aed100b26557750a31dd5bb6576
                      • Instruction ID: e482504812d9c8b6e16c97341794653a30efd8ed0249debb80d3ae7ed37c0163
                      • Opcode Fuzzy Hash: 497243bce212f9753e023d8910a708d7c2364aed100b26557750a31dd5bb6576
                      • Instruction Fuzzy Hash: 3111A1B27015167F7E1137B65DCECBF29FDEEA93A4720052AF802D1100EF248E018271
                      Function 00A97C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00A96B6B,00000000,00000001,0000000C,00000000,?,00A8F889,00000000,00000000,00000000), ref: 00A97C52
                      • GetLastError.KERNEL32(?,00A96B6B,00000000,00000001,0000000C,00000000,?,00A8F889,00000000,00000000,00000000,00000000,00000000,?,00A8FE2C,?), ref: 00A97C5E
                        • Part of subcall function 00A97C24: CloseHandle.KERNEL32(FFFFFFFE,00A97C6E,?,00A96B6B,00000000,00000001,0000000C,00000000,?,00A8F889,00000000,00000000,00000000,00000000,00000000), ref: 00A97C34
                      • ___initconout.LIBCMT ref: 00A97C6E
                        • Part of subcall function 00A97BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A97C15,00A96B58,00000000,?,00A8F889,00000000,00000000,00000000,00000000), ref: 00A97BF9
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00A96B6B,00000000,00000001,0000000C,00000000,?,00A8F889,00000000,00000000,00000000,00000000), ref: 00A97C83
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: 9c0df70c7baaeb377722435ad43636b33cdb95003aa7f0cfd0d17cc15bd5cc1e
                      • Instruction ID: 865a9ea4a1104867890e5cb87ce0e0d97ec64ce1579d1e7969b27f6a66e31013
                      • Opcode Fuzzy Hash: 9c0df70c7baaeb377722435ad43636b33cdb95003aa7f0cfd0d17cc15bd5cc1e
                      • Instruction Fuzzy Hash: 36F01C36614115BBCF625FD9DC099CE3FA6FB093A0F154055FA1985120DB328821DBA1
                      Function 03CD2C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 03CD3508: EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                        • Part of subcall function 03CD3508: GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                        • Part of subcall function 03CD3508: HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                        • Part of subcall function 03CD3508: LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03CD2E3D
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalHeapSection$AllocByteCharEnterLeaveMultiProcessWide
                      • String ID: x
                      • API String ID: 2065145328-2363233923
                      • Opcode ID: 7976af8d358e106f7b7d8d3ffcad75bca0906de4c98449d5354952e8371ccf32
                      • Instruction ID: 1a6fb82b84e37a83d982799874ff44bbce03affb6cf3d4aff0c95eb54cda3203
                      • Opcode Fuzzy Hash: 7976af8d358e106f7b7d8d3ffcad75bca0906de4c98449d5354952e8371ccf32
                      • Instruction Fuzzy Hash: 2802AE74904259EFCF05CF98D984AAEBBF0FF09310F148899F965EB254D734AA81CB51
                      Function 00A8BBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00A8BC8D
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: f4e182148c7e70ec67ed1300631a04a859934b1cca0763c04767d845818b1ae2
                      • Instruction ID: d635b52ec32bc91efcd4341e4072725af6eedafd9bdbecd9c83cbb0ffc054579
                      • Opcode Fuzzy Hash: f4e182148c7e70ec67ed1300631a04a859934b1cca0763c04767d845818b1ae2
                      • Instruction Fuzzy Hash: 2B517DF1A24501D6CB11BB14DE4137E3BA0DB44B60F244D6AF486822E9EF358CD59F75
                      Function 00A82DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00A82DEF
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00A82EA3
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 3480331319-1018135373
                      • Opcode ID: 80ece89d1106a1787c6dc6726295ac933af392d786325fc0b569c8e2b2c4a0c1
                      • Instruction ID: ea7cac72f0df850b5aefa511864a97c2ec6b3b23fc9d8a525f9839f956e13ce1
                      • Opcode Fuzzy Hash: 80ece89d1106a1787c6dc6726295ac933af392d786325fc0b569c8e2b2c4a0c1
                      • Instruction Fuzzy Hash: E841A130A00209AFCF10EFA8C885BAEBFF5BF45714F148155E914AB392D7359E16CB95
                      Function 00A83686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • EncodePointer.KERNEL32(00000000,?), ref: 00A836AB
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2832876060.0000000000A21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00A20000, based on PE: true
                      • Associated: 00000009.00000002.2832721509.0000000000A20000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833227365.0000000000AAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833280609.0000000000AAB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                      • Associated: 00000009.00000002.2833310084.0000000000AAC000.00000002.00000001.01000000.0000000C.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_a20000_1B6E.jbxd
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: a5ec94ab853041b9994341c47b9cb821d73834785144cd74ae05301534f1c4c3
                      • Instruction ID: 4c96ba34a3933c274422aa725f44b0b6cacda65d88b37c9d81dd90f7a0465ef3
                      • Opcode Fuzzy Hash: a5ec94ab853041b9994341c47b9cb821d73834785144cd74ae05301534f1c4c3
                      • Instruction Fuzzy Hash: A6417CB2900209AFDF15EF98CD81AEEBBB5FF48700F144599FA0567221D335EA50DB50
                      Function 03CD3D1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,03CD3DC1,00000000,?,0000011C), ref: 03CD3D34
                        • Part of subcall function 03CD3508: EnterCriticalSection.KERNEL32(03CD84D4,?,?,03CD3BE5,?,03CD2251), ref: 03CD3512
                        • Part of subcall function 03CD3508: GetProcessHeap.KERNEL32(00000008,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD351B
                        • Part of subcall function 03CD3508: HeapAlloc.KERNEL32(00000000,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD3522
                        • Part of subcall function 03CD3508: LeaveCriticalSection.KERNEL32(03CD84D4,?,?,?,03CD3BE5,?,03CD2251), ref: 03CD352B
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,03CD3DC1,00000000,?,0000011C), ref: 03CD3D6A
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CD0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_3cd0000_1B6E.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCriticalHeapMultiSectionWide$AllocEnterLeaveProcess
                      • String ID: $d.log
                      • API String ID: 1918158005-1910398676
                      • Opcode ID: 019b65bbb9e9d9a1da73c5d0b6b82510a41db203c4ee29963f905c6ff923373f
                      • Instruction ID: 9fef5df7df650f891e08728f54f2c063571e6a13d78abaf7687e10cc210e50b3
                      • Opcode Fuzzy Hash: 019b65bbb9e9d9a1da73c5d0b6b82510a41db203c4ee29963f905c6ff923373f
                      • Instruction Fuzzy Hash: 0CF082B56011617F6724AA6ADC19C777EACDBC2B713054229FD19DF2D4DA209C0086B1

                      Execution Graph

                      Execution Coverage:17.5%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:0%
                      Total number of Nodes:1368
                      Total number of Limit Nodes:27
                      execution_graph 3879 401ec5 3880 402c17 17 API calls 3879->3880 3881 401ecb 3880->3881 3882 402c17 17 API calls 3881->3882 3883 401ed7 3882->3883 3884 401ee3 ShowWindow 3883->3884 3885 401eee EnableWindow 3883->3885 3886 402ac5 3884->3886 3885->3886 3384 401746 3385 402c39 17 API calls 3384->3385 3386 40174d 3385->3386 3390 405f4a 3386->3390 3388 401754 3389 405f4a 2 API calls 3388->3389 3389->3388 3391 405f55 GetTickCount GetTempFileNameA 3390->3391 3392 405f82 3391->3392 3393 405f86 3391->3393 3392->3391 3392->3393 3393->3388 3887 401947 3888 402c39 17 API calls 3887->3888 3889 40194e lstrlenA 3888->3889 3890 402628 3889->3890 3894 401fcb 3895 402c39 17 API calls 3894->3895 3896 401fd2 3895->3896 3897 4066ff 2 API calls 3896->3897 3898 401fd8 3897->3898 3900 401fea 3898->3900 3901 4062e6 wsprintfA 3898->3901 3901->3900 3599 4034cc SetErrorMode GetVersionExA 3600 40351e GetVersionExA 3599->3600 3602 40355d 3599->3602 3601 40353a 3600->3601 3600->3602 3601->3602 3603 4035e1 3602->3603 3604 406794 5 API calls 3602->3604 3605 406726 3 API calls 3603->3605 3604->3603 3606 4035f7 lstrlenA 3605->3606 3606->3603 3607 403607 3606->3607 3608 406794 5 API calls 3607->3608 3609 40360e 3608->3609 3610 406794 5 API calls 3609->3610 3611 403615 3610->3611 3612 406794 5 API calls 3611->3612 3613 403621 #17 OleInitialize SHGetFileInfoA 3612->3613 3691 406388 lstrcpynA 3613->3691 3616 40366f GetCommandLineA 3692 406388 lstrcpynA 3616->3692 3618 403681 3619 405d45 CharNextA 3618->3619 3620 4036a8 CharNextA 3619->3620 3629 4036b7 3620->3629 3621 40377d 3622 403791 GetTempPathA 3621->3622 3693 40349b 3622->3693 3624 4037a9 3626 403803 DeleteFileA 3624->3626 3627 4037ad GetWindowsDirectoryA lstrcatA 3624->3627 3625 405d45 CharNextA 3625->3629 3703 402f5c GetTickCount GetModuleFileNameA 3626->3703 3630 40349b 12 API calls 3627->3630 3629->3621 3629->3625 3631 40377f 3629->3631 3633 4037c9 3630->3633 3790 406388 lstrcpynA 3631->3790 3632 403816 3634 4038ae ExitProcess OleUninitialize 3632->3634 3642 405d45 CharNextA 3632->3642 3673 40389b 3632->3673 3633->3626 3636 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3633->3636 3638 4038c5 3634->3638 3639 4039e8 3634->3639 3637 40349b 12 API calls 3636->3637 3640 4037fb 3637->3640 3643 405a9e MessageBoxIndirectA 3638->3643 3644 4039f0 GetCurrentProcess OpenProcessToken 3639->3644 3645 403a66 ExitProcess 3639->3645 3640->3626 3640->3634 3647 403830 3642->3647 3649 4038d2 ExitProcess 3643->3649 3650 403a36 3644->3650 3651 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3644->3651 3654 403875 3647->3654 3655 4038da 3647->3655 3652 406794 5 API calls 3650->3652 3651->3650 3653 403a3d 3652->3653 3656 403a52 ExitWindowsEx 3653->3656 3659 403a5f 3653->3659 3658 405e08 18 API calls 3654->3658 3657 405a09 5 API calls 3655->3657 3656->3645 3656->3659 3660 4038df lstrcatA 3657->3660 3661 403881 3658->3661 3795 40140b 3659->3795 3663 4038f0 lstrcatA 3660->3663 3664 4038fb lstrcatA lstrcmpiA 3660->3664 3661->3634 3791 406388 lstrcpynA 3661->3791 3663->3664 3664->3634 3666 403917 3664->3666 3668 403923 3666->3668 3669 40391c 3666->3669 3667 403890 3792 406388 lstrcpynA 3667->3792 3672 4059ec 2 API calls 3668->3672 3671 40596f 4 API calls 3669->3671 3674 403921 3671->3674 3675 403928 SetCurrentDirectoryA 3672->3675 3733 403b6e 3673->3733 3674->3675 3676 403943 3675->3676 3677 403938 3675->3677 3794 406388 lstrcpynA 3676->3794 3793 406388 lstrcpynA 3677->3793 3680 40641b 17 API calls 3681 403985 DeleteFileA 3680->3681 3682 403993 CopyFileA 3681->3682 3688 403950 3681->3688 3682->3688 3683 4039dc 3685 406161 36 API calls 3683->3685 3684 406161 36 API calls 3684->3688 3686 4039e3 3685->3686 3686->3634 3687 40641b 17 API calls 3687->3688 3688->3680 3688->3683 3688->3684 3688->3687 3689 405a21 2 API calls 3688->3689 3690 4039c7 CloseHandle 3688->3690 3689->3688 3690->3688 3691->3616 3692->3618 3694 406666 5 API calls 3693->3694 3696 4034a7 3694->3696 3695 4034b1 3695->3624 3696->3695 3697 405d1a 3 API calls 3696->3697 3698 4034b9 3697->3698 3699 4059ec 2 API calls 3698->3699 3700 4034bf 3699->3700 3701 405f4a 2 API calls 3700->3701 3702 4034ca 3701->3702 3702->3624 3798 405f1b GetFileAttributesA CreateFileA 3703->3798 3705 402f9f 3732 402fac 3705->3732 3799 406388 lstrcpynA 3705->3799 3707 402fc2 3708 405d61 2 API calls 3707->3708 3709 402fc8 3708->3709 3800 406388 lstrcpynA 3709->3800 3711 402fd3 GetFileSize 3712 4030cd 3711->3712 3731 402fea 3711->3731 3713 402ebd 32 API calls 3712->3713 3714 4030d6 3713->3714 3716 403112 GlobalAlloc 3714->3716 3714->3732 3802 403484 SetFilePointer 3714->3802 3715 40346e ReadFile 3715->3731 3717 403129 3716->3717 3722 405f4a 2 API calls 3717->3722 3719 40316a 3720 402ebd 32 API calls 3719->3720 3720->3732 3721 4030f3 3723 40346e ReadFile 3721->3723 3724 40313a CreateFileA 3722->3724 3725 4030fe 3723->3725 3727 403174 3724->3727 3724->3732 3725->3716 3725->3732 3726 402ebd 32 API calls 3726->3731 3801 403484 SetFilePointer 3727->3801 3729 403182 3730 4031fd 44 API calls 3729->3730 3730->3732 3731->3712 3731->3715 3731->3719 3731->3726 3731->3732 3732->3632 3734 406794 5 API calls 3733->3734 3735 403b82 3734->3735 3736 403b88 3735->3736 3737 403b9a 3735->3737 3811 4062e6 wsprintfA 3736->3811 3738 40626f 3 API calls 3737->3738 3739 403bc5 3738->3739 3740 403be3 lstrcatA 3739->3740 3742 40626f 3 API calls 3739->3742 3743 403b98 3740->3743 3742->3740 3803 403e33 3743->3803 3746 405e08 18 API calls 3747 403c15 3746->3747 3748 403c9e 3747->3748 3750 40626f 3 API calls 3747->3750 3749 405e08 18 API calls 3748->3749 3751 403ca4 3749->3751 3753 403c41 3750->3753 3752 403cb4 LoadImageA 3751->3752 3754 40641b 17 API calls 3751->3754 3755 403d5a 3752->3755 3756 403cdb RegisterClassA 3752->3756 3753->3748 3757 403c5d lstrlenA 3753->3757 3760 405d45 CharNextA 3753->3760 3754->3752 3759 40140b 2 API calls 3755->3759 3758 403d11 SystemParametersInfoA CreateWindowExA 3756->3758 3766 4038ab 3756->3766 3761 403c91 3757->3761 3762 403c6b lstrcmpiA 3757->3762 3758->3755 3763 403d60 3759->3763 3764 403c5b 3760->3764 3767 405d1a 3 API calls 3761->3767 3762->3761 3765 403c7b GetFileAttributesA 3762->3765 3763->3766 3769 403e33 18 API calls 3763->3769 3764->3757 3768 403c87 3765->3768 3766->3634 3770 403c97 3767->3770 3768->3761 3771 405d61 2 API calls 3768->3771 3772 403d71 3769->3772 3812 406388 lstrcpynA 3770->3812 3771->3761 3774 403e00 3772->3774 3775 403d7d ShowWindow 3772->3775 3813 40557b OleInitialize 3774->3813 3777 406726 3 API calls 3775->3777 3779 403d95 3777->3779 3778 403e06 3780 403e22 3778->3780 3781 403e0a 3778->3781 3782 403da3 GetClassInfoA 3779->3782 3784 406726 3 API calls 3779->3784 3783 40140b 2 API calls 3780->3783 3781->3766 3788 40140b 2 API calls 3781->3788 3785 403db7 GetClassInfoA RegisterClassA 3782->3785 3786 403dcd DialogBoxParamA 3782->3786 3783->3766 3784->3782 3785->3786 3787 40140b 2 API calls 3786->3787 3789 403df5 3787->3789 3788->3766 3789->3766 3790->3622 3791->3667 3792->3673 3793->3676 3794->3688 3796 401389 2 API calls 3795->3796 3797 401420 3796->3797 3797->3645 3798->3705 3799->3707 3800->3711 3801->3729 3802->3721 3804 403e47 3803->3804 3820 4062e6 wsprintfA 3804->3820 3806 403eb8 3821 403eec 3806->3821 3808 403bf3 3808->3746 3809 403ebd 3809->3808 3810 40641b 17 API calls 3809->3810 3810->3809 3811->3743 3812->3748 3824 404451 3813->3824 3815 40559e 3819 4055c5 3815->3819 3827 401389 3815->3827 3816 404451 SendMessageA 3817 4055d7 OleUninitialize 3816->3817 3817->3778 3819->3816 3820->3806 3822 40641b 17 API calls 3821->3822 3823 403efa SetWindowTextA 3822->3823 3823->3809 3825 404469 3824->3825 3826 40445a SendMessageA 3824->3826 3825->3815 3826->3825 3829 401390 3827->3829 3828 4013fe 3828->3815 3829->3828 3830 4013cb MulDiv SendMessageA 3829->3830 3830->3829 3902 404850 3903 404860 3902->3903 3904 404886 3902->3904 3909 404405 3903->3909 3912 40446c 3904->3912 3908 40486d SetDlgItemTextA 3908->3904 3910 40641b 17 API calls 3909->3910 3911 404410 SetDlgItemTextA 3910->3911 3911->3908 3913 40452f 3912->3913 3914 404484 GetWindowLongA 3912->3914 3914->3913 3915 404499 3914->3915 3915->3913 3916 4044c6 GetSysColor 3915->3916 3917 4044c9 3915->3917 3916->3917 3918 4044d9 SetBkMode 3917->3918 3919 4044cf SetTextColor 3917->3919 3920 4044f1 GetSysColor 3918->3920 3921 4044f7 3918->3921 3919->3918 3920->3921 3922 404508 3921->3922 3923 4044fe SetBkColor 3921->3923 3922->3913 3924 404522 CreateBrushIndirect 3922->3924 3925 40451b DeleteObject 3922->3925 3923->3922 3924->3913 3925->3924 3933 4014d6 3934 402c17 17 API calls 3933->3934 3935 4014dc Sleep 3934->3935 3937 402ac5 3935->3937 3485 401759 3486 402c39 17 API calls 3485->3486 3487 401760 3486->3487 3488 401786 3487->3488 3489 40177e 3487->3489 3525 406388 lstrcpynA 3488->3525 3524 406388 lstrcpynA 3489->3524 3492 401784 3496 406666 5 API calls 3492->3496 3493 401791 3494 405d1a 3 API calls 3493->3494 3495 401797 lstrcatA 3494->3495 3495->3492 3513 4017a3 3496->3513 3497 4066ff 2 API calls 3497->3513 3498 405ef6 2 API calls 3498->3513 3500 4017ba CompareFileTime 3500->3513 3501 40187e 3503 4054a9 24 API calls 3501->3503 3502 401855 3504 4054a9 24 API calls 3502->3504 3522 40186a 3502->3522 3506 401888 3503->3506 3504->3522 3505 406388 lstrcpynA 3505->3513 3507 4031fd 44 API calls 3506->3507 3508 40189b 3507->3508 3509 4018af SetFileTime 3508->3509 3510 4018c1 FindCloseChangeNotification 3508->3510 3509->3510 3512 4018d2 3510->3512 3510->3522 3511 40641b 17 API calls 3511->3513 3514 4018d7 3512->3514 3515 4018ea 3512->3515 3513->3497 3513->3498 3513->3500 3513->3501 3513->3502 3513->3505 3513->3511 3523 405f1b GetFileAttributesA CreateFileA 3513->3523 3526 405a9e 3513->3526 3516 40641b 17 API calls 3514->3516 3517 40641b 17 API calls 3515->3517 3519 4018df lstrcatA 3516->3519 3520 4018f2 3517->3520 3519->3520 3521 405a9e MessageBoxIndirectA 3520->3521 3521->3522 3523->3513 3524->3492 3525->3493 3527 405ab3 3526->3527 3528 405aff 3527->3528 3529 405ac7 MessageBoxIndirectA 3527->3529 3528->3513 3529->3528 3938 401659 3939 402c39 17 API calls 3938->3939 3940 40165f 3939->3940 3941 4066ff 2 API calls 3940->3941 3942 401665 3941->3942 3943 401959 3944 402c17 17 API calls 3943->3944 3945 401960 3944->3945 3946 402c17 17 API calls 3945->3946 3947 40196d 3946->3947 3948 402c39 17 API calls 3947->3948 3949 401984 lstrlenA 3948->3949 3951 401994 3949->3951 3950 4019d4 3951->3950 3955 406388 lstrcpynA 3951->3955 3953 4019c4 3953->3950 3954 4019c9 lstrlenA 3953->3954 3954->3950 3955->3953 3956 401a5e 3957 402c17 17 API calls 3956->3957 3958 401a67 3957->3958 3959 402c17 17 API calls 3958->3959 3960 401a0e 3959->3960 3961 401563 3962 402a42 3961->3962 3965 4062e6 wsprintfA 3962->3965 3964 402a47 3965->3964 3966 401b63 3967 402c39 17 API calls 3966->3967 3968 401b6a 3967->3968 3969 402c17 17 API calls 3968->3969 3970 401b73 wsprintfA 3969->3970 3971 402ac5 3970->3971 3972 401d65 3973 401d78 GetDlgItem 3972->3973 3974 401d6b 3972->3974 3976 401d72 3973->3976 3975 402c17 17 API calls 3974->3975 3975->3976 3977 401db9 GetClientRect LoadImageA SendMessageA 3976->3977 3979 402c39 17 API calls 3976->3979 3980 401e1a 3977->3980 3982 401e26 3977->3982 3979->3977 3981 401e1f DeleteObject 3980->3981 3980->3982 3981->3982 3983 402766 3984 40276c 3983->3984 3985 402774 FindClose 3984->3985 3986 402ac5 3984->3986 3985->3986 3987 4055e7 3988 405792 3987->3988 3989 405609 GetDlgItem GetDlgItem GetDlgItem 3987->3989 3991 4057c2 3988->3991 3992 40579a GetDlgItem CreateThread CloseHandle 3988->3992 4032 40443a SendMessageA 3989->4032 3994 4057f0 3991->3994 3995 405811 3991->3995 3996 4057d8 ShowWindow ShowWindow 3991->3996 3992->3991 3993 405679 4000 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3993->4000 3997 405800 3994->3997 3998 405824 ShowWindow 3994->3998 4001 40584b 3994->4001 3999 40446c 8 API calls 3995->3999 4034 40443a SendMessageA 3996->4034 4035 4043de 3997->4035 4005 405844 3998->4005 4006 405836 3998->4006 4004 40581d 3999->4004 4007 4056d2 SendMessageA SendMessageA 4000->4007 4008 4056ee 4000->4008 4001->3995 4009 405858 SendMessageA 4001->4009 4011 4043de SendMessageA 4005->4011 4010 4054a9 24 API calls 4006->4010 4007->4008 4012 405701 4008->4012 4013 4056f3 SendMessageA 4008->4013 4009->4004 4014 405871 CreatePopupMenu 4009->4014 4010->4005 4011->4001 4016 404405 18 API calls 4012->4016 4013->4012 4015 40641b 17 API calls 4014->4015 4018 405881 AppendMenuA 4015->4018 4017 405711 4016->4017 4021 40571a ShowWindow 4017->4021 4022 40574e GetDlgItem SendMessageA 4017->4022 4019 4058b2 TrackPopupMenu 4018->4019 4020 40589f GetWindowRect 4018->4020 4019->4004 4023 4058ce 4019->4023 4020->4019 4024 405730 ShowWindow 4021->4024 4025 40573d 4021->4025 4022->4004 4026 405775 SendMessageA SendMessageA 4022->4026 4027 4058ed SendMessageA 4023->4027 4024->4025 4033 40443a SendMessageA 4025->4033 4026->4004 4027->4027 4028 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4027->4028 4030 40592c SendMessageA 4028->4030 4030->4030 4031 40594e GlobalUnlock SetClipboardData CloseClipboard 4030->4031 4031->4004 4032->3993 4033->4022 4034->3994 4036 4043e5 4035->4036 4037 4043eb SendMessageA 4035->4037 4036->4037 4037->3995 3394 4027e8 3395 402c39 17 API calls 3394->3395 3396 4027f4 3395->3396 3397 40280a 3396->3397 3399 402c39 17 API calls 3396->3399 3398 405ef6 2 API calls 3397->3398 3400 402810 3398->3400 3399->3397 3422 405f1b GetFileAttributesA CreateFileA 3400->3422 3402 40281d 3403 4028d9 3402->3403 3404 4028c1 3402->3404 3405 402838 GlobalAlloc 3402->3405 3406 4028e0 DeleteFileA 3403->3406 3407 4028f3 3403->3407 3409 4031fd 44 API calls 3404->3409 3405->3404 3408 402851 3405->3408 3406->3407 3423 403484 SetFilePointer 3408->3423 3411 4028ce FindCloseChangeNotification 3409->3411 3411->3403 3412 402857 3424 40346e 3412->3424 3415 402870 3427 4031fd 3415->3427 3416 4028aa 3417 405fc2 WriteFile 3416->3417 3419 4028b6 GlobalFree 3417->3419 3419->3404 3420 4028a1 GlobalFree 3420->3416 3421 40287d 3421->3420 3422->3402 3423->3412 3425 405f93 ReadFile 3424->3425 3426 402860 GlobalAlloc 3425->3426 3426->3415 3426->3416 3428 403228 3427->3428 3429 40320c SetFilePointer 3427->3429 3442 403305 GetTickCount 3428->3442 3429->3428 3432 405f93 ReadFile 3433 403248 3432->3433 3434 403305 42 API calls 3433->3434 3436 4032c5 3433->3436 3435 40325f 3434->3435 3435->3436 3437 4032cb ReadFile 3435->3437 3439 40326e 3435->3439 3436->3421 3437->3436 3439->3436 3440 405f93 ReadFile 3439->3440 3441 405fc2 WriteFile 3439->3441 3440->3439 3441->3439 3443 403333 3442->3443 3444 40345d 3442->3444 3455 403484 SetFilePointer 3443->3455 3445 402ebd 32 API calls 3444->3445 3451 40322f 3445->3451 3447 40333e SetFilePointer 3452 403363 3447->3452 3448 40346e ReadFile 3448->3452 3451->3432 3451->3436 3452->3448 3452->3451 3453 405fc2 WriteFile 3452->3453 3454 40343e SetFilePointer 3452->3454 3456 4068d9 3452->3456 3463 402ebd 3452->3463 3453->3452 3454->3444 3455->3447 3457 4068fe 3456->3457 3458 406906 3456->3458 3457->3452 3458->3457 3459 406996 GlobalAlloc 3458->3459 3460 40698d GlobalFree 3458->3460 3461 406a04 GlobalFree 3458->3461 3462 406a0d GlobalAlloc 3458->3462 3459->3457 3459->3458 3460->3459 3461->3462 3462->3457 3462->3458 3464 402ee3 3463->3464 3465 402ecb 3463->3465 3468 402ef3 GetTickCount 3464->3468 3469 402eeb 3464->3469 3466 402ed4 DestroyWindow 3465->3466 3467 402edb 3465->3467 3466->3467 3467->3452 3468->3467 3471 402f01 3468->3471 3478 4067d0 3469->3478 3472 402f36 CreateDialogParamA ShowWindow 3471->3472 3473 402f09 3471->3473 3472->3467 3473->3467 3482 402ea1 3473->3482 3475 402f17 wsprintfA 3476 4054a9 24 API calls 3475->3476 3477 402f34 3476->3477 3477->3467 3479 4067ed PeekMessageA 3478->3479 3480 4067e3 DispatchMessageA 3479->3480 3481 4067fd 3479->3481 3480->3479 3481->3467 3483 402eb0 3482->3483 3484 402eb2 MulDiv 3482->3484 3483->3484 3484->3475 4038 404be8 4039 404c14 4038->4039 4040 404bf8 4038->4040 4041 404c47 4039->4041 4042 404c1a SHGetPathFromIDListA 4039->4042 4049 405a82 GetDlgItemTextA 4040->4049 4045 404c2a 4042->4045 4048 404c31 SendMessageA 4042->4048 4044 404c05 SendMessageA 4044->4039 4046 40140b 2 API calls 4045->4046 4046->4048 4048->4041 4049->4044 4050 4023e8 4051 402c39 17 API calls 4050->4051 4052 4023f9 4051->4052 4053 402c39 17 API calls 4052->4053 4054 402402 4053->4054 4055 402c39 17 API calls 4054->4055 4056 40240c GetPrivateProfileStringA 4055->4056 4057 40166a 4058 402c39 17 API calls 4057->4058 4059 401671 4058->4059 4060 402c39 17 API calls 4059->4060 4061 40167a 4060->4061 4062 402c39 17 API calls 4061->4062 4063 401683 MoveFileA 4062->4063 4064 401696 4063->4064 4065 40168f 4063->4065 4067 4066ff 2 API calls 4064->4067 4069 4022ea 4064->4069 4066 401423 24 API calls 4065->4066 4066->4069 4068 4016a5 4067->4068 4068->4069 4070 406161 36 API calls 4068->4070 4070->4065 4078 4019ed 4079 402c39 17 API calls 4078->4079 4080 4019f4 4079->4080 4081 402c39 17 API calls 4080->4081 4082 4019fd 4081->4082 4083 401a04 lstrcmpiA 4082->4083 4084 401a16 lstrcmpA 4082->4084 4085 401a0a 4083->4085 4084->4085 4086 40156f 4087 401586 4086->4087 4088 40157f ShowWindow 4086->4088 4089 401594 ShowWindow 4087->4089 4090 402ac5 4087->4090 4088->4087 4089->4090 4091 404570 4093 404586 4091->4093 4094 404692 4091->4094 4092 404701 4095 4047cb 4092->4095 4097 40470b GetDlgItem 4092->4097 4096 404405 18 API calls 4093->4096 4094->4092 4094->4095 4102 4046d6 GetDlgItem SendMessageA 4094->4102 4101 40446c 8 API calls 4095->4101 4100 4045dc 4096->4100 4098 404721 4097->4098 4099 404789 4097->4099 4098->4099 4105 404747 SendMessageA LoadCursorA SetCursor 4098->4105 4099->4095 4106 40479b 4099->4106 4103 404405 18 API calls 4100->4103 4104 4047c6 4101->4104 4124 404427 EnableWindow 4102->4124 4108 4045e9 CheckDlgButton 4103->4108 4128 404814 4105->4128 4111 4047a1 SendMessageA 4106->4111 4112 4047b2 4106->4112 4122 404427 EnableWindow 4108->4122 4111->4112 4112->4104 4116 4047b8 SendMessageA 4112->4116 4113 4046fc 4125 4047f0 4113->4125 4114 404607 GetDlgItem 4123 40443a SendMessageA 4114->4123 4116->4104 4119 40461d SendMessageA 4120 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4119->4120 4121 40463b GetSysColor 4119->4121 4120->4104 4121->4120 4122->4114 4123->4119 4124->4113 4126 404803 SendMessageA 4125->4126 4127 4047fe 4125->4127 4126->4092 4127->4126 4131 405a64 ShellExecuteExA 4128->4131 4130 40477a LoadCursorA SetCursor 4130->4099 4131->4130 4132 402173 4133 402c39 17 API calls 4132->4133 4134 40217a 4133->4134 4135 402c39 17 API calls 4134->4135 4136 402184 4135->4136 4137 402c39 17 API calls 4136->4137 4138 40218e 4137->4138 4139 402c39 17 API calls 4138->4139 4140 40219b 4139->4140 4141 402c39 17 API calls 4140->4141 4142 4021a5 4141->4142 4143 4021e7 CoCreateInstance 4142->4143 4144 402c39 17 API calls 4142->4144 4145 402206 4143->4145 4149 4022b4 4143->4149 4144->4143 4148 402294 MultiByteToWideChar 4145->4148 4145->4149 4146 401423 24 API calls 4147 4022ea 4146->4147 4148->4149 4149->4146 4149->4147 4150 4022f3 4151 402c39 17 API calls 4150->4151 4152 4022f9 4151->4152 4153 402c39 17 API calls 4152->4153 4154 402302 4153->4154 4155 402c39 17 API calls 4154->4155 4156 40230b 4155->4156 4157 4066ff 2 API calls 4156->4157 4158 402314 4157->4158 4159 402325 lstrlenA lstrlenA 4158->4159 4163 402318 4158->4163 4161 4054a9 24 API calls 4159->4161 4160 4054a9 24 API calls 4164 402320 4160->4164 4162 402361 SHFileOperationA 4161->4162 4162->4163 4162->4164 4163->4160 4163->4164 4165 4014f4 SetForegroundWindow 4166 402ac5 4165->4166 4167 402375 4168 40237c 4167->4168 4171 40238f 4167->4171 4169 40641b 17 API calls 4168->4169 4170 402389 4169->4170 4172 405a9e MessageBoxIndirectA 4170->4172 4172->4171 4173 402675 4174 402c17 17 API calls 4173->4174 4178 40267f 4174->4178 4175 4026ed 4176 405f93 ReadFile 4176->4178 4177 4026ef 4182 4062e6 wsprintfA 4177->4182 4178->4175 4178->4176 4178->4177 4179 4026ff 4178->4179 4179->4175 4181 402715 SetFilePointer 4179->4181 4181->4175 4182->4175 4183 4029f6 4184 402a49 4183->4184 4185 4029fd 4183->4185 4186 406794 5 API calls 4184->4186 4188 402c17 17 API calls 4185->4188 4191 402a47 4185->4191 4187 402a50 4186->4187 4189 402c39 17 API calls 4187->4189 4190 402a0b 4188->4190 4192 402a59 4189->4192 4193 402c17 17 API calls 4190->4193 4192->4191 4201 4063db 4192->4201 4195 402a1a 4193->4195 4200 4062e6 wsprintfA 4195->4200 4196 402a67 4196->4191 4205 4063c5 4196->4205 4200->4191 4202 4063e6 4201->4202 4203 406409 IIDFromString 4202->4203 4204 406402 4202->4204 4203->4196 4204->4196 4208 4063aa WideCharToMultiByte 4205->4208 4207 402a88 CoTaskMemFree 4207->4191 4208->4207 4209 401ef9 4210 402c39 17 API calls 4209->4210 4211 401eff 4210->4211 4212 402c39 17 API calls 4211->4212 4213 401f08 4212->4213 4214 402c39 17 API calls 4213->4214 4215 401f11 4214->4215 4216 402c39 17 API calls 4215->4216 4217 401f1a 4216->4217 4218 401423 24 API calls 4217->4218 4219 401f21 4218->4219 4226 405a64 ShellExecuteExA 4219->4226 4221 401f5c 4222 406809 5 API calls 4221->4222 4224 4027c8 4221->4224 4223 401f76 CloseHandle 4222->4223 4223->4224 4226->4221 3534 401f7b 3535 402c39 17 API calls 3534->3535 3536 401f81 3535->3536 3537 4054a9 24 API calls 3536->3537 3538 401f8b 3537->3538 3549 405a21 CreateProcessA 3538->3549 3541 401fb2 CloseHandle 3545 4027c8 3541->3545 3544 401fa6 3546 401fb4 3544->3546 3547 401fab 3544->3547 3546->3541 3557 4062e6 wsprintfA 3547->3557 3550 401f91 3549->3550 3551 405a54 CloseHandle 3549->3551 3550->3541 3550->3545 3552 406809 WaitForSingleObject 3550->3552 3551->3550 3553 406823 3552->3553 3554 406835 GetExitCodeProcess 3553->3554 3555 4067d0 2 API calls 3553->3555 3554->3544 3556 40682a WaitForSingleObject 3555->3556 3556->3553 3557->3541 4234 401ffb 4235 402c39 17 API calls 4234->4235 4236 402002 4235->4236 4237 406794 5 API calls 4236->4237 4238 402011 4237->4238 4239 402029 GlobalAlloc 4238->4239 4248 402099 4238->4248 4240 40203d 4239->4240 4239->4248 4241 406794 5 API calls 4240->4241 4242 402044 4241->4242 4243 406794 5 API calls 4242->4243 4244 40204e 4243->4244 4244->4248 4249 4062e6 wsprintfA 4244->4249 4246 402089 4250 4062e6 wsprintfA 4246->4250 4249->4246 4250->4248 3831 403a7c 3832 403a97 3831->3832 3833 403a8d CloseHandle 3831->3833 3834 403aa1 CloseHandle 3832->3834 3835 403aab 3832->3835 3833->3832 3834->3835 3840 403ad9 3835->3840 3838 405b4a 67 API calls 3839 403abc 3838->3839 3841 403ae7 3840->3841 3842 403ab0 3841->3842 3843 403aec FreeLibrary GlobalFree 3841->3843 3842->3838 3843->3842 3843->3843 4251 4018fd 4252 401934 4251->4252 4253 402c39 17 API calls 4252->4253 4254 401939 4253->4254 4255 405b4a 67 API calls 4254->4255 4256 401942 4255->4256 3844 40247e 3845 402c39 17 API calls 3844->3845 3846 402490 3845->3846 3847 402c39 17 API calls 3846->3847 3848 40249a 3847->3848 3861 402cc9 3848->3861 3851 4024cf 3855 4024db 3851->3855 3865 402c17 3851->3865 3852 402c39 17 API calls 3856 4024c8 lstrlenA 3852->3856 3853 402ac5 3854 4024fd RegSetValueExA 3859 402513 RegCloseKey 3854->3859 3855->3854 3858 4031fd 44 API calls 3855->3858 3856->3851 3858->3854 3859->3853 3862 402ce4 3861->3862 3868 40623c 3862->3868 3866 40641b 17 API calls 3865->3866 3867 402c2c 3866->3867 3867->3855 3869 40624b 3868->3869 3870 4024aa 3869->3870 3871 406256 RegCreateKeyExA 3869->3871 3870->3851 3870->3852 3870->3853 3871->3870 4257 401cfe 4258 402c17 17 API calls 4257->4258 4259 401d04 IsWindow 4258->4259 4260 401a0e 4259->4260 4261 401000 4262 401037 BeginPaint GetClientRect 4261->4262 4263 40100c DefWindowProcA 4261->4263 4265 4010f3 4262->4265 4266 401179 4263->4266 4267 401073 CreateBrushIndirect FillRect DeleteObject 4265->4267 4268 4010fc 4265->4268 4267->4265 4269 401102 CreateFontIndirectA 4268->4269 4270 401167 EndPaint 4268->4270 4269->4270 4271 401112 6 API calls 4269->4271 4270->4266 4271->4270 4272 401900 4273 402c39 17 API calls 4272->4273 4274 401907 4273->4274 4275 405a9e MessageBoxIndirectA 4274->4275 4276 401910 4275->4276 4277 402780 4278 402786 4277->4278 4279 40278a FindNextFileA 4278->4279 4282 40279c 4278->4282 4280 4027db 4279->4280 4279->4282 4283 406388 lstrcpynA 4280->4283 4283->4282 4284 401502 4285 40150a 4284->4285 4287 40151d 4284->4287 4286 402c17 17 API calls 4285->4286 4286->4287 4288 401b87 4289 401b94 4288->4289 4290 401bd8 4288->4290 4291 401c1c 4289->4291 4298 401bab 4289->4298 4292 401c01 GlobalAlloc 4290->4292 4293 401bdc 4290->4293 4295 40641b 17 API calls 4291->4295 4304 40238f 4291->4304 4294 40641b 17 API calls 4292->4294 4293->4304 4309 406388 lstrcpynA 4293->4309 4294->4291 4297 402389 4295->4297 4302 405a9e MessageBoxIndirectA 4297->4302 4307 406388 lstrcpynA 4298->4307 4299 401bee GlobalFree 4299->4304 4301 401bba 4308 406388 lstrcpynA 4301->4308 4302->4304 4305 401bc9 4310 406388 lstrcpynA 4305->4310 4307->4301 4308->4305 4309->4299 4310->4304 4311 406a88 4313 40690c 4311->4313 4312 407277 4313->4312 4314 406996 GlobalAlloc 4313->4314 4315 40698d GlobalFree 4313->4315 4316 406a04 GlobalFree 4313->4316 4317 406a0d GlobalAlloc 4313->4317 4314->4312 4314->4313 4315->4314 4316->4317 4317->4312 4317->4313 3530 401389 3532 401390 3530->3532 3531 4013fe 3532->3531 3533 4013cb MulDiv SendMessageA 3532->3533 3533->3532 4318 404e0a GetDlgItem GetDlgItem 4319 404e60 7 API calls 4318->4319 4325 405087 4318->4325 4320 404f08 DeleteObject 4319->4320 4321 404efc SendMessageA 4319->4321 4322 404f13 4320->4322 4321->4320 4323 404f4a 4322->4323 4326 40641b 17 API calls 4322->4326 4327 404405 18 API calls 4323->4327 4324 405169 4328 405215 4324->4328 4333 40507a 4324->4333 4338 4051c2 SendMessageA 4324->4338 4325->4324 4352 4050f6 4325->4352 4372 404d58 SendMessageA 4325->4372 4331 404f2c SendMessageA SendMessageA 4326->4331 4332 404f5e 4327->4332 4329 405227 4328->4329 4330 40521f SendMessageA 4328->4330 4340 405240 4329->4340 4341 405239 ImageList_Destroy 4329->4341 4349 405250 4329->4349 4330->4329 4331->4322 4337 404405 18 API calls 4332->4337 4335 40446c 8 API calls 4333->4335 4334 40515b SendMessageA 4334->4324 4339 405416 4335->4339 4353 404f6f 4337->4353 4338->4333 4343 4051d7 SendMessageA 4338->4343 4344 405249 GlobalFree 4340->4344 4340->4349 4341->4340 4342 4053ca 4342->4333 4347 4053dc ShowWindow GetDlgItem ShowWindow 4342->4347 4346 4051ea 4343->4346 4344->4349 4345 405049 GetWindowLongA SetWindowLongA 4348 405062 4345->4348 4358 4051fb SendMessageA 4346->4358 4347->4333 4350 405067 ShowWindow 4348->4350 4351 40507f 4348->4351 4349->4342 4365 40528b 4349->4365 4377 404dd8 4349->4377 4370 40443a SendMessageA 4350->4370 4371 40443a SendMessageA 4351->4371 4352->4324 4352->4334 4353->4345 4354 405044 4353->4354 4357 404fc1 SendMessageA 4353->4357 4359 405013 SendMessageA 4353->4359 4360 404fff SendMessageA 4353->4360 4354->4345 4354->4348 4357->4353 4358->4328 4359->4353 4360->4353 4362 405395 4363 4053a0 InvalidateRect 4362->4363 4366 4053ac 4362->4366 4363->4366 4364 4052b9 SendMessageA 4368 4052cf 4364->4368 4365->4364 4365->4368 4366->4342 4386 404d13 4366->4386 4367 405343 SendMessageA SendMessageA 4367->4368 4368->4362 4368->4367 4370->4333 4371->4325 4373 404db7 SendMessageA 4372->4373 4374 404d7b GetMessagePos ScreenToClient SendMessageA 4372->4374 4376 404daf 4373->4376 4375 404db4 4374->4375 4374->4376 4375->4373 4376->4352 4389 406388 lstrcpynA 4377->4389 4379 404deb 4390 4062e6 wsprintfA 4379->4390 4381 404df5 4382 40140b 2 API calls 4381->4382 4383 404dfe 4382->4383 4391 406388 lstrcpynA 4383->4391 4385 404e05 4385->4365 4392 404c4e 4386->4392 4388 404d28 4388->4342 4389->4379 4390->4381 4391->4385 4393 404c64 4392->4393 4394 40641b 17 API calls 4393->4394 4395 404cc8 4394->4395 4396 40641b 17 API calls 4395->4396 4397 404cd3 4396->4397 4398 40641b 17 API calls 4397->4398 4399 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4398->4399 4399->4388 4400 40298a 4401 402c17 17 API calls 4400->4401 4402 402990 4401->4402 4403 4027c8 4402->4403 4404 40641b 17 API calls 4402->4404 4404->4403 4405 403f0b 4406 403f23 4405->4406 4407 404084 4405->4407 4406->4407 4408 403f2f 4406->4408 4409 4040d5 4407->4409 4410 404095 GetDlgItem GetDlgItem 4407->4410 4412 403f3a SetWindowPos 4408->4412 4413 403f4d 4408->4413 4411 40412f 4409->4411 4422 401389 2 API calls 4409->4422 4414 404405 18 API calls 4410->4414 4415 404451 SendMessageA 4411->4415 4423 40407f 4411->4423 4412->4413 4416 403f56 ShowWindow 4413->4416 4417 403f98 4413->4417 4418 4040bf SetClassLongA 4414->4418 4445 404141 4415->4445 4424 404042 4416->4424 4425 403f76 GetWindowLongA 4416->4425 4419 403fa0 DestroyWindow 4417->4419 4420 403fb7 4417->4420 4421 40140b 2 API calls 4418->4421 4426 40438e 4419->4426 4427 403fbc SetWindowLongA 4420->4427 4428 403fcd 4420->4428 4421->4409 4429 404107 4422->4429 4430 40446c 8 API calls 4424->4430 4425->4424 4431 403f8f ShowWindow 4425->4431 4426->4423 4438 4043bf ShowWindow 4426->4438 4427->4423 4428->4424 4432 403fd9 GetDlgItem 4428->4432 4429->4411 4433 40410b SendMessageA 4429->4433 4430->4423 4431->4417 4436 404007 4432->4436 4437 403fea SendMessageA IsWindowEnabled 4432->4437 4433->4423 4434 40140b 2 API calls 4434->4445 4435 404390 DestroyWindow EndDialog 4435->4426 4440 404014 4436->4440 4443 40405b SendMessageA 4436->4443 4444 404027 4436->4444 4450 40400c 4436->4450 4437->4423 4437->4436 4438->4423 4439 40641b 17 API calls 4439->4445 4440->4443 4440->4450 4441 4043de SendMessageA 4441->4424 4442 404405 18 API calls 4442->4445 4443->4424 4446 404044 4444->4446 4447 40402f 4444->4447 4445->4423 4445->4434 4445->4435 4445->4439 4445->4442 4451 404405 18 API calls 4445->4451 4467 4042d0 DestroyWindow 4445->4467 4448 40140b 2 API calls 4446->4448 4449 40140b 2 API calls 4447->4449 4448->4450 4449->4450 4450->4424 4450->4441 4452 4041bc GetDlgItem 4451->4452 4453 4041d1 4452->4453 4454 4041d9 ShowWindow EnableWindow 4452->4454 4453->4454 4476 404427 EnableWindow 4454->4476 4456 404203 EnableWindow 4461 404217 4456->4461 4457 40421c GetSystemMenu EnableMenuItem SendMessageA 4458 40424c SendMessageA 4457->4458 4457->4461 4458->4461 4460 403eec 18 API calls 4460->4461 4461->4457 4461->4460 4477 40443a SendMessageA 4461->4477 4478 406388 lstrcpynA 4461->4478 4463 40427b lstrlenA 4464 40641b 17 API calls 4463->4464 4465 40428c SetWindowTextA 4464->4465 4466 401389 2 API calls 4465->4466 4466->4445 4467->4426 4468 4042ea CreateDialogParamA 4467->4468 4468->4426 4469 40431d 4468->4469 4470 404405 18 API calls 4469->4470 4471 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4470->4471 4472 401389 2 API calls 4471->4472 4473 40436e 4472->4473 4473->4423 4474 404376 ShowWindow 4473->4474 4475 404451 SendMessageA 4474->4475 4475->4426 4476->4456 4477->4461 4478->4463 4479 40260c 4480 402c39 17 API calls 4479->4480 4481 402613 4480->4481 4484 405f1b GetFileAttributesA CreateFileA 4481->4484 4483 40261f 4484->4483 4485 401490 4486 4054a9 24 API calls 4485->4486 4487 401497 4486->4487 4488 402590 4498 402c79 4488->4498 4491 402c17 17 API calls 4492 4025a3 4491->4492 4493 4025ca RegEnumValueA 4492->4493 4494 4025be RegEnumKeyA 4492->4494 4496 4027c8 4492->4496 4495 4025df RegCloseKey 4493->4495 4494->4495 4495->4496 4499 402c39 17 API calls 4498->4499 4500 402c90 4499->4500 4501 40620e RegOpenKeyExA 4500->4501 4502 40259a 4501->4502 4502->4491 4510 404897 4511 4048c3 4510->4511 4512 4048d4 4510->4512 4571 405a82 GetDlgItemTextA 4511->4571 4513 4048e0 GetDlgItem 4512->4513 4521 40493f 4512->4521 4515 4048f4 4513->4515 4519 404908 SetWindowTextA 4515->4519 4524 405db3 4 API calls 4515->4524 4516 404a23 4520 404bcd 4516->4520 4573 405a82 GetDlgItemTextA 4516->4573 4517 4048ce 4518 406666 5 API calls 4517->4518 4518->4512 4525 404405 18 API calls 4519->4525 4523 40446c 8 API calls 4520->4523 4521->4516 4521->4520 4526 40641b 17 API calls 4521->4526 4528 404be1 4523->4528 4529 4048fe 4524->4529 4530 404924 4525->4530 4531 4049b3 SHBrowseForFolderA 4526->4531 4527 404a53 4532 405e08 18 API calls 4527->4532 4529->4519 4536 405d1a 3 API calls 4529->4536 4533 404405 18 API calls 4530->4533 4531->4516 4534 4049cb CoTaskMemFree 4531->4534 4535 404a59 4532->4535 4537 404932 4533->4537 4538 405d1a 3 API calls 4534->4538 4574 406388 lstrcpynA 4535->4574 4536->4519 4572 40443a SendMessageA 4537->4572 4540 4049d8 4538->4540 4544 404a0f SetDlgItemTextA 4540->4544 4547 40641b 17 API calls 4540->4547 4542 404a70 4546 406794 5 API calls 4542->4546 4543 404938 4545 406794 5 API calls 4543->4545 4544->4516 4545->4521 4553 404a77 4546->4553 4548 4049f7 lstrcmpiA 4547->4548 4548->4544 4550 404a08 lstrcatA 4548->4550 4549 404ab3 4575 406388 lstrcpynA 4549->4575 4550->4544 4552 404aba 4554 405db3 4 API calls 4552->4554 4553->4549 4558 405d61 2 API calls 4553->4558 4559 404b0b 4553->4559 4555 404ac0 GetDiskFreeSpaceA 4554->4555 4557 404ae4 MulDiv 4555->4557 4555->4559 4557->4559 4558->4553 4560 404b7c 4559->4560 4562 404d13 20 API calls 4559->4562 4561 404b9f 4560->4561 4564 40140b 2 API calls 4560->4564 4576 404427 EnableWindow 4561->4576 4563 404b69 4562->4563 4565 404b7e SetDlgItemTextA 4563->4565 4566 404b6e 4563->4566 4564->4561 4565->4560 4568 404c4e 20 API calls 4566->4568 4568->4560 4569 404bbb 4569->4520 4570 4047f0 SendMessageA 4569->4570 4570->4520 4571->4517 4572->4543 4573->4527 4574->4542 4575->4552 4576->4569 4577 40541d 4578 405441 4577->4578 4579 40542d 4577->4579 4581 405449 IsWindowVisible 4578->4581 4587 405460 4578->4587 4580 405433 4579->4580 4589 40548a 4579->4589 4583 404451 SendMessageA 4580->4583 4584 405456 4581->4584 4581->4589 4582 40548f CallWindowProcA 4585 40543d 4582->4585 4583->4585 4586 404d58 5 API calls 4584->4586 4586->4587 4587->4582 4588 404dd8 4 API calls 4587->4588 4588->4589 4589->4582 4590 40149d 4591 4014ab PostQuitMessage 4590->4591 4592 40238f 4590->4592 4591->4592 4593 40159d 4594 402c39 17 API calls 4593->4594 4595 4015a4 SetFileAttributesA 4594->4595 4596 4015b6 4595->4596 4597 401a1e 4598 402c39 17 API calls 4597->4598 4599 401a27 ExpandEnvironmentStringsA 4598->4599 4600 401a3b 4599->4600 4602 401a4e 4599->4602 4601 401a40 lstrcmpA 4600->4601 4600->4602 4601->4602 4603 40251e 4604 402c79 17 API calls 4603->4604 4605 402528 4604->4605 4606 402c39 17 API calls 4605->4606 4607 402531 4606->4607 4608 4027c8 4607->4608 4609 40253b RegQueryValueExA 4607->4609 4610 40255b 4609->4610 4613 402561 RegCloseKey 4609->4613 4610->4613 4614 4062e6 wsprintfA 4610->4614 4613->4608 4614->4613 4620 40171f 4621 402c39 17 API calls 4620->4621 4622 401726 SearchPathA 4621->4622 4623 401741 4622->4623 4624 401d1f 4625 402c17 17 API calls 4624->4625 4626 401d26 4625->4626 4627 402c17 17 API calls 4626->4627 4628 401d32 GetDlgItem 4627->4628 4629 402628 4628->4629 4630 402aa0 SendMessageA 4631 402ac5 4630->4631 4632 402aba InvalidateRect 4630->4632 4632->4631 4633 4023a4 4634 4023b2 4633->4634 4635 4023ac 4633->4635 4637 402c39 17 API calls 4634->4637 4639 4023c2 4634->4639 4636 402c39 17 API calls 4635->4636 4636->4634 4637->4639 4638 4023d0 4641 402c39 17 API calls 4638->4641 4639->4638 4640 402c39 17 API calls 4639->4640 4640->4638 4642 4023d9 WritePrivateProfileStringA 4641->4642 3363 4020a5 3364 4020b7 3363->3364 3365 402165 3363->3365 3366 402c39 17 API calls 3364->3366 3368 401423 24 API calls 3365->3368 3367 4020be 3366->3367 3369 402c39 17 API calls 3367->3369 3374 4022ea 3368->3374 3370 4020c7 3369->3370 3371 4020dc LoadLibraryExA 3370->3371 3372 4020cf GetModuleHandleA 3370->3372 3371->3365 3373 4020ec GetProcAddress 3371->3373 3372->3371 3372->3373 3375 402138 3373->3375 3376 4020fb 3373->3376 3377 4054a9 24 API calls 3375->3377 3379 40210b 3376->3379 3381 401423 3376->3381 3377->3379 3379->3374 3380 402159 FreeLibrary 3379->3380 3380->3374 3382 4054a9 24 API calls 3381->3382 3383 401431 3382->3383 3383->3379 4643 402e25 4644 402e34 SetTimer 4643->4644 4645 402e4d 4643->4645 4644->4645 4646 402e9b 4645->4646 4647 402ea1 MulDiv 4645->4647 4648 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4647->4648 4648->4646 4657 402429 4658 402430 4657->4658 4659 40245b 4657->4659 4660 402c79 17 API calls 4658->4660 4661 402c39 17 API calls 4659->4661 4662 402437 4660->4662 4663 402462 4661->4663 4665 402c39 17 API calls 4662->4665 4666 40246f 4662->4666 4668 402cf7 4663->4668 4667 402448 RegDeleteValueA RegCloseKey 4665->4667 4667->4666 4669 402d03 4668->4669 4670 402d0a 4668->4670 4669->4666 4670->4669 4672 402d3b 4670->4672 4673 40620e RegOpenKeyExA 4672->4673 4674 402d69 4673->4674 4675 402d79 RegEnumValueA 4674->4675 4676 402d9c 4674->4676 4683 402e13 4674->4683 4675->4676 4677 402e03 RegCloseKey 4675->4677 4676->4677 4678 402dd8 RegEnumKeyA 4676->4678 4679 402de1 RegCloseKey 4676->4679 4681 402d3b 6 API calls 4676->4681 4677->4683 4678->4676 4678->4679 4680 406794 5 API calls 4679->4680 4682 402df1 4680->4682 4681->4676 4682->4683 4684 402df5 RegDeleteKeyA 4682->4684 4683->4669 4684->4683 4685 4027aa 4686 402c39 17 API calls 4685->4686 4687 4027b1 FindFirstFileA 4686->4687 4688 4027d4 4687->4688 4689 4027c4 4687->4689 4690 4027db 4688->4690 4693 4062e6 wsprintfA 4688->4693 4694 406388 lstrcpynA 4690->4694 4693->4690 4694->4689 4695 403b2c 4696 403b37 4695->4696 4697 403b3b 4696->4697 4698 403b3e GlobalAlloc 4696->4698 4698->4697 4699 401c2e 4700 402c17 17 API calls 4699->4700 4701 401c35 4700->4701 4702 402c17 17 API calls 4701->4702 4703 401c42 4702->4703 4704 402c39 17 API calls 4703->4704 4705 401c57 4703->4705 4704->4705 4706 401c67 4705->4706 4707 402c39 17 API calls 4705->4707 4708 401c72 4706->4708 4709 401cbe 4706->4709 4707->4706 4711 402c17 17 API calls 4708->4711 4710 402c39 17 API calls 4709->4710 4712 401cc3 4710->4712 4713 401c77 4711->4713 4714 402c39 17 API calls 4712->4714 4715 402c17 17 API calls 4713->4715 4716 401ccc FindWindowExA 4714->4716 4717 401c83 4715->4717 4720 401cea 4716->4720 4718 401c90 SendMessageTimeoutA 4717->4718 4719 401cae SendMessageA 4717->4719 4718->4720 4719->4720 4721 40262e 4722 402633 4721->4722 4723 402647 4721->4723 4724 402c17 17 API calls 4722->4724 4725 402c39 17 API calls 4723->4725 4727 40263c 4724->4727 4726 40264e lstrlenA 4725->4726 4726->4727 4728 402670 4727->4728 4729 405fc2 WriteFile 4727->4729 4729->4728 3175 401932 3176 401934 3175->3176 3181 402c39 3176->3181 3182 402c45 3181->3182 3224 40641b 3182->3224 3185 401939 3187 405b4a 3185->3187 3266 405e08 3187->3266 3190 405b72 DeleteFileA 3220 401942 3190->3220 3191 405b89 3192 405cb7 3191->3192 3280 406388 lstrcpynA 3191->3280 3192->3220 3309 4066ff FindFirstFileA 3192->3309 3194 405baf 3195 405bc2 3194->3195 3196 405bb5 lstrcatA 3194->3196 3281 405d61 lstrlenA 3195->3281 3198 405bc8 3196->3198 3201 405bd6 lstrcatA 3198->3201 3202 405be1 lstrlenA FindFirstFileA 3198->3202 3201->3202 3202->3192 3210 405c05 3202->3210 3205 405d45 CharNextA 3205->3210 3206 405b02 5 API calls 3207 405cf1 3206->3207 3208 405cf5 3207->3208 3209 405d0b 3207->3209 3215 4054a9 24 API calls 3208->3215 3208->3220 3213 4054a9 24 API calls 3209->3213 3210->3205 3211 405c96 FindNextFileA 3210->3211 3219 405b4a 60 API calls 3210->3219 3221 4054a9 24 API calls 3210->3221 3285 406388 lstrcpynA 3210->3285 3286 405b02 3210->3286 3294 4054a9 3210->3294 3305 406161 MoveFileExA 3210->3305 3211->3210 3214 405cae FindClose 3211->3214 3213->3220 3214->3192 3216 405d02 3215->3216 3217 406161 36 API calls 3216->3217 3217->3220 3219->3210 3221->3211 3228 406428 3224->3228 3225 40664d 3226 402c66 3225->3226 3257 406388 lstrcpynA 3225->3257 3226->3185 3241 406666 3226->3241 3228->3225 3229 406627 lstrlenA 3228->3229 3232 40641b 10 API calls 3228->3232 3234 406543 GetSystemDirectoryA 3228->3234 3235 406556 GetWindowsDirectoryA 3228->3235 3236 406666 5 API calls 3228->3236 3237 40658a SHGetSpecialFolderLocation 3228->3237 3238 40641b 10 API calls 3228->3238 3239 4065d0 lstrcatA 3228->3239 3250 40626f 3228->3250 3255 4062e6 wsprintfA 3228->3255 3256 406388 lstrcpynA 3228->3256 3229->3228 3232->3229 3234->3228 3235->3228 3236->3228 3237->3228 3240 4065a2 SHGetPathFromIDListA CoTaskMemFree 3237->3240 3238->3228 3239->3228 3240->3228 3248 406672 3241->3248 3242 4066da 3243 4066de CharPrevA 3242->3243 3246 4066f9 3242->3246 3243->3242 3244 4066cf CharNextA 3244->3242 3244->3248 3246->3185 3247 4066bd CharNextA 3247->3248 3248->3242 3248->3244 3248->3247 3249 4066ca CharNextA 3248->3249 3262 405d45 3248->3262 3249->3244 3258 40620e 3250->3258 3253 4062a3 RegQueryValueExA RegCloseKey 3254 4062d2 3253->3254 3254->3228 3255->3228 3256->3228 3257->3226 3259 40621d 3258->3259 3260 406221 3259->3260 3261 406226 RegOpenKeyExA 3259->3261 3260->3253 3260->3254 3261->3260 3263 405d4b 3262->3263 3264 405d5e 3263->3264 3265 405d51 CharNextA 3263->3265 3264->3248 3265->3263 3315 406388 lstrcpynA 3266->3315 3268 405e19 3316 405db3 CharNextA CharNextA 3268->3316 3271 405b6a 3271->3190 3271->3191 3272 406666 5 API calls 3278 405e2f 3272->3278 3273 405e5a lstrlenA 3274 405e65 3273->3274 3273->3278 3276 405d1a 3 API calls 3274->3276 3275 4066ff 2 API calls 3275->3278 3277 405e6a GetFileAttributesA 3276->3277 3277->3271 3278->3271 3278->3273 3278->3275 3279 405d61 2 API calls 3278->3279 3279->3273 3280->3194 3282 405d6e 3281->3282 3283 405d73 CharPrevA 3282->3283 3284 405d7f 3282->3284 3283->3282 3283->3284 3284->3198 3285->3210 3322 405ef6 GetFileAttributesA 3286->3322 3289 405b2f 3289->3210 3290 405b25 DeleteFileA 3292 405b2b 3290->3292 3291 405b1d RemoveDirectoryA 3291->3292 3292->3289 3293 405b3b SetFileAttributesA 3292->3293 3293->3289 3295 4054c4 3294->3295 3304 405567 3294->3304 3296 4054e1 lstrlenA 3295->3296 3297 40641b 17 API calls 3295->3297 3298 40550a 3296->3298 3299 4054ef lstrlenA 3296->3299 3297->3296 3301 405510 SetWindowTextA 3298->3301 3302 40551d 3298->3302 3300 405501 lstrcatA 3299->3300 3299->3304 3300->3298 3301->3302 3303 405523 SendMessageA SendMessageA SendMessageA 3302->3303 3302->3304 3303->3304 3304->3210 3306 406182 3305->3306 3307 406175 3305->3307 3306->3210 3325 405ff1 3307->3325 3310 405cdb 3309->3310 3311 406715 FindClose 3309->3311 3310->3220 3312 405d1a lstrlenA CharPrevA 3310->3312 3311->3310 3313 405d34 lstrcatA 3312->3313 3314 405ce5 3312->3314 3313->3314 3314->3206 3315->3268 3317 405dde 3316->3317 3318 405dce 3316->3318 3320 405d45 CharNextA 3317->3320 3321 405dfe 3317->3321 3318->3317 3319 405dd9 CharNextA 3318->3319 3319->3321 3320->3317 3321->3271 3321->3272 3323 405b0e 3322->3323 3324 405f08 SetFileAttributesA 3322->3324 3323->3289 3323->3290 3323->3291 3324->3323 3326 406017 3325->3326 3327 40603d GetShortPathNameA 3325->3327 3352 405f1b GetFileAttributesA CreateFileA 3326->3352 3329 406052 3327->3329 3330 40615c 3327->3330 3329->3330 3332 40605a wsprintfA 3329->3332 3330->3306 3331 406021 CloseHandle GetShortPathNameA 3331->3330 3333 406035 3331->3333 3334 40641b 17 API calls 3332->3334 3333->3327 3333->3330 3335 406082 3334->3335 3353 405f1b GetFileAttributesA CreateFileA 3335->3353 3337 40608f 3337->3330 3338 40609e GetFileSize GlobalAlloc 3337->3338 3339 4060c0 3338->3339 3340 406155 CloseHandle 3338->3340 3354 405f93 ReadFile 3339->3354 3340->3330 3345 4060f3 3347 405e80 4 API calls 3345->3347 3346 4060df lstrcpyA 3348 406101 3346->3348 3347->3348 3349 406138 SetFilePointer 3348->3349 3361 405fc2 WriteFile 3349->3361 3352->3331 3353->3337 3355 405fb1 3354->3355 3355->3340 3356 405e80 lstrlenA 3355->3356 3357 405ec1 lstrlenA 3356->3357 3358 405ec9 3357->3358 3359 405e9a lstrcmpiA 3357->3359 3358->3345 3358->3346 3359->3358 3360 405eb8 CharNextA 3359->3360 3360->3357 3362 405fe0 GlobalFree 3361->3362 3362->3340 4730 402733 4731 40273a 4730->4731 4734 402a47 4730->4734 4732 402c17 17 API calls 4731->4732 4733 402741 4732->4733 4735 402750 SetFilePointer 4733->4735 4735->4734 4736 402760 4735->4736 4738 4062e6 wsprintfA 4736->4738 4738->4734 4739 401e35 GetDC 4740 402c17 17 API calls 4739->4740 4741 401e47 GetDeviceCaps MulDiv ReleaseDC 4740->4741 4742 402c17 17 API calls 4741->4742 4743 401e78 4742->4743 4744 40641b 17 API calls 4743->4744 4745 401eb5 CreateFontIndirectA 4744->4745 4746 402628 4745->4746 4747 4014b7 4748 4014bd 4747->4748 4749 401389 2 API calls 4748->4749 4750 4014c5 4749->4750 3558 4015bb 3559 402c39 17 API calls 3558->3559 3560 4015c2 3559->3560 3561 405db3 4 API calls 3560->3561 3562 4015ca 3561->3562 3563 401624 3562->3563 3564 405d45 CharNextA 3562->3564 3574 40160c GetFileAttributesA 3562->3574 3575 4015f3 3562->3575 3579 405a09 3562->3579 3587 4059ec CreateDirectoryA 3562->3587 3565 401652 3563->3565 3566 401629 3563->3566 3564->3562 3568 401423 24 API calls 3565->3568 3567 401423 24 API calls 3566->3567 3569 401630 3567->3569 3576 40164a 3568->3576 3578 406388 lstrcpynA 3569->3578 3573 40163b SetCurrentDirectoryA 3573->3576 3574->3562 3575->3562 3582 40596f CreateDirectoryA 3575->3582 3578->3573 3590 406794 GetModuleHandleA 3579->3590 3583 4059c0 GetLastError 3582->3583 3584 4059bc 3582->3584 3583->3584 3585 4059cf SetFileSecurityA 3583->3585 3584->3575 3585->3584 3586 4059e5 GetLastError 3585->3586 3586->3584 3588 405a00 GetLastError 3587->3588 3589 4059fc 3587->3589 3588->3589 3589->3562 3591 4067b0 3590->3591 3592 4067ba GetProcAddress 3590->3592 3596 406726 GetSystemDirectoryA 3591->3596 3594 405a10 3592->3594 3594->3562 3595 4067b6 3595->3592 3595->3594 3597 406748 wsprintfA LoadLibraryExA 3596->3597 3597->3595 4751 40453b lstrcpynA lstrlenA 4752 4016bb 4753 402c39 17 API calls 4752->4753 4754 4016c1 GetFullPathNameA 4753->4754 4755 4016d8 4754->4755 4761 4016f9 4754->4761 4757 4066ff 2 API calls 4755->4757 4755->4761 4756 40170d GetShortPathNameA 4758 402ac5 4756->4758 4759 4016e9 4757->4759 4759->4761 4762 406388 lstrcpynA 4759->4762 4761->4756 4761->4758 4762->4761 4763 406ebd 4765 40690c 4763->4765 4764 407277 4765->4764 4765->4765 4766 406996 GlobalAlloc 4765->4766 4767 40698d GlobalFree 4765->4767 4768 406a04 GlobalFree 4765->4768 4769 406a0d GlobalAlloc 4765->4769 4766->4764 4766->4765 4767->4766 4768->4769 4769->4764 4769->4765

                      Executed Functions

                      Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 17 4035e5 11->17 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 17->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 31 40362d 27->31 31->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 63 403772 47->63 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 59 403734-403762 51->59 60 403724-40372a 51->60 57 4036e7-4036e9 52->57 58 4036eb 52->58 68 403821-403827 53->68 69 4038ae-4038bf ExitProcess OleUninitialize 53->69 54->53 71 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->71 57->51 57->58 58->51 59->47 62 40377f-40378c call 406388 59->62 65 403730 60->65 66 40372c-40372e 60->66 62->43 63->38 65->59 66->59 66->65 73 403829-403834 call 405d45 68->73 74 40389f-4038a6 call 403b6e 68->74 75 4038c5-4038d4 call 405a9e ExitProcess 69->75 76 4039e8-4039ee 69->76 71->53 71->69 91 403836-40385f 73->91 92 40386a-403873 73->92 83 4038ab 74->83 81 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->81 82 403a66-403a6e 76->82 88 403a36-403a44 call 406794 81->88 89 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 81->89 85 403a70 82->85 86 403a73-403a76 ExitProcess 82->86 83->69 85->86 97 403a52-403a5d ExitWindowsEx 88->97 98 403a46-403a50 88->98 89->88 94 403861-403863 91->94 95 403875-403883 call 405e08 92->95 96 4038da-4038ee call 405a09 lstrcatA 92->96 94->92 99 403865-403868 94->99 95->69 105 403885-40389b call 406388 * 2 95->105 108 4038f0-4038f6 lstrcatA 96->108 109 4038fb-403915 lstrcatA lstrcmpiA 96->109 97->82 102 403a5f-403a61 call 40140b 97->102 98->97 98->102 99->92 99->94 102->82 105->74 108->109 109->69 111 403917-40391a 109->111 113 403923 call 4059ec 111->113 114 40391c-403921 call 40596f 111->114 120 403928-403936 SetCurrentDirectoryA 113->120 114->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->69 141->129
                      APIs
                      • SetErrorMode.KERNELBASE(00008001), ref: 004034EF
                      • GetVersionExA.KERNEL32(?), ref: 00403518
                      • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                      • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                      • OleInitialize.OLE32(00000000), ref: 0040363C
                      • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                      • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                      • CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                      • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                      • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                      • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                      • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403808
                      • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                      • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                      • ExitProcess.KERNEL32 ref: 004038D4
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                      • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                      • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                      • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0041F910,00000001), ref: 0040399B
                      • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                      • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                      • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                      • ExitProcess.KERNEL32 ref: 00403A76
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                      • String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                      • API String ID: 2882342585-56685449
                      • Opcode ID: 52eec0119052631d70130b9923c1eece19bfae2d8fd8cd18d56f0b379d03721e
                      • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                      • Opcode Fuzzy Hash: 52eec0119052631d70130b9923c1eece19bfae2d8fd8cd18d56f0b379d03721e
                      • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                      Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 351 405b4a-405b70 call 405e08 354 405b72-405b84 DeleteFileA 351->354 355 405b89-405b90 351->355 356 405d13-405d17 354->356 357 405b92-405b94 355->357 358 405ba3-405bb3 call 406388 355->358 359 405cc1-405cc6 357->359 360 405b9a-405b9d 357->360 364 405bc2-405bc3 call 405d61 358->364 365 405bb5-405bc0 lstrcatA 358->365 359->356 363 405cc8-405ccb 359->363 360->358 360->359 366 405cd5-405cdd call 4066ff 363->366 367 405ccd-405cd3 363->367 369 405bc8-405bcb 364->369 365->369 366->356 374 405cdf-405cf3 call 405d1a call 405b02 366->374 367->356 372 405bd6-405bdc lstrcatA 369->372 373 405bcd-405bd4 369->373 375 405be1-405bff lstrlenA FindFirstFileA 372->375 373->372 373->375 390 405cf5-405cf8 374->390 391 405d0b-405d0e call 4054a9 374->391 377 405c05-405c1c call 405d45 375->377 378 405cb7-405cbb 375->378 384 405c27-405c2a 377->384 385 405c1e-405c22 377->385 378->359 380 405cbd 378->380 380->359 388 405c2c-405c31 384->388 389 405c3d-405c4b call 406388 384->389 385->384 387 405c24 385->387 387->384 392 405c33-405c35 388->392 393 405c96-405ca8 FindNextFileA 388->393 401 405c62-405c6d call 405b02 389->401 402 405c4d-405c55 389->402 390->367 395 405cfa-405d09 call 4054a9 call 406161 390->395 391->356 392->389 397 405c37-405c3b 392->397 393->377 399 405cae-405cb1 FindClose 393->399 395->356 397->389 397->393 399->378 410 405c8e-405c91 call 4054a9 401->410 411 405c6f-405c72 401->411 402->393 404 405c57-405c60 call 405b4a 402->404 404->393 410->393 413 405c74-405c84 call 4054a9 call 406161 411->413 414 405c86-405c8c 411->414 413->393 414->393
                      APIs
                      • DeleteFileA.KERNELBASE(?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
                      • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
                      • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
                      • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
                      • FindFirstFileA.KERNELBASE(00421D58,?,?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
                      • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                      • FindClose.KERNEL32(00000000), ref: 00405CB1
                      Strings
                      • \*.*, xrefs: 00405BB5
                      • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                      • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
                      • API String ID: 2035342205-2430568624
                      • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                      • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                      • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                      • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                      Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 577 406a88-406a8d 578 406afe-406b1c 577->578 579 406a8f-406abe 577->579 580 4070f4-407109 578->580 581 406ac0-406ac3 579->581 582 406ac5-406ac9 579->582 583 407123-407139 580->583 584 40710b-407121 580->584 585 406ad5-406ad8 581->585 586 406ad1 582->586 587 406acb-406acf 582->587 588 40713c-407143 583->588 584->588 589 406af6-406af9 585->589 590 406ada-406ae3 585->590 586->585 587->585 594 407145-407149 588->594 595 40716a-407176 588->595 593 406ccb-406ce9 589->593 591 406ae5 590->591 592 406ae8-406af4 590->592 591->592 596 406b5e-406b8c 592->596 600 406d01-406d13 593->600 601 406ceb-406cff 593->601 597 4072f8-407302 594->597 598 40714f-407167 594->598 605 40690c-406915 595->605 603 406ba8-406bc2 596->603 604 406b8e-406ba6 596->604 602 40730e-407321 597->602 598->595 606 406d16-406d20 600->606 601->606 610 407326-40732a 602->610 609 406bc5-406bcf 603->609 604->609 607 407323 605->607 608 40691b 605->608 611 406d22 606->611 612 406cc3-406cc9 606->612 607->610 615 406922-406926 608->615 616 406a62-406a83 608->616 617 4069c7-4069cb 608->617 618 406a37-406a3b 608->618 620 406bd5 609->620 621 406b46-406b4c 609->621 613 406e33-406e40 611->613 614 406c9e-406ca2 611->614 612->593 619 406c67-406c71 612->619 613->605 624 406e8f-406e9e 613->624 629 406ca8-406cc0 614->629 630 4072aa-4072b4 614->630 615->602 631 40692c-406939 615->631 616->580 622 4069d1-4069ea 617->622 623 407277-407281 617->623 632 406a41-406a55 618->632 633 407286-407290 618->633 625 4072b6-4072c0 619->625 626 406c77-406c99 619->626 639 407292-40729c 620->639 640 406b2b-406b43 620->640 627 406b52-406b58 621->627 628 406bff-406c05 621->628 638 4069ed-4069f1 622->638 623->602 624->580 625->602 626->613 627->596 635 406c63 627->635 628->635 636 406c07-406c25 628->636 629->612 630->602 631->607 637 40693f-406985 631->637 641 406a58-406a60 632->641 633->602 635->619 642 406c27-406c3b 636->642 643 406c3d-406c4f 636->643 645 406987-40698b 637->645 646 4069ad-4069af 637->646 638->617 644 4069f3-4069f9 638->644 639->602 640->621 641->616 641->618 647 406c52-406c5c 642->647 643->647 652 406a23-406a35 644->652 653 4069fb-406a02 644->653 648 406996-4069a4 GlobalAlloc 645->648 649 40698d-406990 GlobalFree 645->649 650 4069b1-4069bb 646->650 651 4069bd-4069c5 646->651 647->628 654 406c5e 647->654 648->607 657 4069aa 648->657 649->648 650->650 650->651 651->638 652->641 655 406a04-406a07 GlobalFree 653->655 656 406a0d-406a1d GlobalAlloc 653->656 659 406be4-406bfc 654->659 660 40729e-4072a8 654->660 655->656 656->607 656->652 657->646 659->628 660->602
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                      • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                      • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                      • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                      Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 720 4066ff-406713 FindFirstFileA 721 406720 720->721 722 406715-40671e FindClose 720->722 723 406722-406723 721->723 722->723
                      APIs
                      • FindFirstFileA.KERNELBASE(74DF3410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 0040670A
                      • FindClose.KERNEL32(00000000), ref: 00406716
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID: C:\
                      • API String ID: 2295610775-3404278061
                      • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                      • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                      • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                      • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                      Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 154 403bee-403c17 call 403e33 call 405e08 145->154 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->154 151->150 160 403c1d-403c22 154->160 161 403c9e-403ca6 call 405e08 154->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 172 403c4a-403c4c 162->172 170 403d5a-403d62 call 40140b 166->170 171 403cdb-403d0b RegisterClassA 166->171 167->166 185 403d64-403d67 170->185 186 403d6c-403d77 call 403e33 170->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 171->175 176 403e29 171->176 173 403c5d-403c69 lstrlenA 172->173 174 403c4e-403c5b call 405d45 172->174 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->170 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 201 403e22-403e24 call 40140b 195->201 202 403e0a-403e10 195->202 203 403da3-403db5 GetClassInfoA 196->203 204 403d99-403d9e call 406726 196->204 201->176 202->185 209 403e16-403e1d call 40140b 202->209 207 403db7-403dc7 GetClassInfoA RegisterClassA 203->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 203->208 204->203 207->208 208->179 209->185
                      APIs
                        • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                        • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                      • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,?,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410), ref: 00403C5E
                      • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                      • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                        • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                      • RegisterClassA.USER32(00423EE0), ref: 00403D02
                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                      • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
                      • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                      • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                      • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                      • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                      • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                      • API String ID: 1975747703-4005560175
                      • Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                      • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                      • Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                      • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                      Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 216 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 219 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 216->219 220 402fac-402fb1 216->220 228 402fea 219->228 229 4030cf-4030dd call 402ebd 219->229 221 4031f6-4031fa 220->221 231 402fef-403006 228->231 235 4030e3-4030e6 229->235 236 4031ae-4031b3 229->236 233 403008 231->233 234 40300a-403013 call 40346e 231->234 233->234 243 403019-403020 234->243 244 40316a-403172 call 402ebd 234->244 238 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 235->238 239 4030e8-403100 call 403484 call 40346e 235->239 236->221 265 403160-403165 238->265 266 403174-4031a4 call 403484 call 4031fd 238->266 239->236 267 403106-40310c 239->267 248 403022-403036 call 405ed6 243->248 249 40309c-4030a0 243->249 244->236 255 4030aa-4030b0 248->255 263 403038-40303f 248->263 254 4030a2-4030a9 call 402ebd 249->254 249->255 254->255 256 4030b2-4030bc call 40684b 255->256 257 4030bf-4030c7 255->257 256->257 257->231 264 4030cd 257->264 263->255 270 403041-403048 263->270 264->229 265->221 277 4031a9-4031ac 266->277 267->236 267->238 270->255 272 40304a-403051 270->272 272->255 274 403053-40305a 272->274 274->255 276 40305c-40307c 274->276 276->236 278 403082-403086 276->278 277->236 279 4031b5-4031c6 277->279 280 403088-40308c 278->280 281 40308e-403096 278->281 282 4031c8 279->282 283 4031ce-4031d3 279->283 280->264 280->281 281->255 285 403098-40309a 281->285 282->283 284 4031d4-4031da 283->284 284->284 286 4031dc-4031f4 call 405ed6 284->286 285->255 286->221
                      APIs
                      • GetTickCount.KERNEL32 ref: 00402F70
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C
                        • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                        • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                      • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
                      • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                      • Inst, xrefs: 00403041
                      • soft, xrefs: 0040304A
                      • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                      • Error launching installer, xrefs: 00402FAC
                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                      • C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                      • Null, xrefs: 00403053
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                      • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                      • API String ID: 2803837635-1937576205
                      • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                      • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                      • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                      • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                      Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 289 40641b-406426 290 406428-406437 289->290 291 406439-40644f 289->291 290->291 292 406643-406647 291->292 293 406455-406460 291->293 294 406472-40647c 292->294 295 40664d-406657 292->295 293->292 296 406466-40646d 293->296 294->295 299 406482-406489 294->299 297 406662-406663 295->297 298 406659-40665d call 406388 295->298 296->292 298->297 301 406636 299->301 302 40648f-4064c3 299->302 303 406640-406642 301->303 304 406638-40663e 301->304 305 4065e3-4065e6 302->305 306 4064c9-4064d3 302->306 303->292 304->292 307 406616-406619 305->307 308 4065e8-4065eb 305->308 309 4064f0 306->309 310 4064d5-4064de 306->310 314 406627-406634 lstrlenA 307->314 315 40661b-406622 call 40641b 307->315 311 4065fb-406607 call 406388 308->311 312 4065ed-4065f9 call 4062e6 308->312 313 4064f7-4064fe 309->313 310->309 316 4064e0-4064e3 310->316 327 40660c-406612 311->327 312->327 319 406500-406502 313->319 320 406503-406505 313->320 314->292 315->314 316->309 317 4064e5-4064e8 316->317 317->309 323 4064ea-4064ee 317->323 319->320 325 406507-40652a call 40626f 320->325 326 40653e-406541 320->326 323->313 337 406530-406539 call 40641b 325->337 338 4065ca-4065ce 325->338 330 406551-406554 326->330 331 406543-40654f GetSystemDirectoryA 326->331 327->314 329 406614 327->329 333 4065db-4065e1 call 406666 329->333 335 4065c1-4065c3 330->335 336 406556-406564 GetWindowsDirectoryA 330->336 334 4065c5-4065c8 331->334 333->314 334->333 334->338 335->334 339 406566-406570 335->339 336->335 337->334 338->333 344 4065d0-4065d6 lstrcatA 338->344 341 406572-406575 339->341 342 40658a-4065a0 SHGetSpecialFolderLocation 339->342 341->342 346 406577-40657e 341->346 347 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 342->347 348 4065be 342->348 344->333 350 406586-406588 346->350 347->334 347->348 348->335 350->334 350->342
                      APIs
                      • GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400), ref: 00406549
                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                      • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                      • SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 004065A6
                      • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                      • String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                      • API String ID: 717251189-2103940979
                      • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                      • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                      • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                      • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                      Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 00401798
                      • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 004017C2
                        • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                      • String ID: C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe
                      • API String ID: 1941528284-2333790722
                      • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                      • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                      • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                      • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                      Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 487 406726-406746 GetSystemDirectoryA 488 406748 487->488 489 40674a-40674c 487->489 488->489 490 40675c-40675e 489->490 491 40674e-406756 489->491 493 40675f-406791 wsprintfA LoadLibraryExA 490->493 491->490 492 406758-40675a 491->492 492->493
                      APIs
                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                      • wsprintfA.USER32 ref: 00406776
                      • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: DirectoryLibraryLoadSystemwsprintf
                      • String ID: %s%s.dll$UXTHEME$\
                      • API String ID: 2200240437-4240819195
                      • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                      • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                      • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                      • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                      Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                      • GlobalFree.KERNEL32(?), ref: 004028A4
                      • GlobalFree.KERNEL32(00000000), ref: 004028B7
                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
                      • String ID:
                      • API String ID: 2989416154-0
                      • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                      • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                      • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                      • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                      Function 004020A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 530 4020a5-4020b1 531 4020b7-4020cd call 402c39 * 2 530->531 532 40216c-40216e 530->532 541 4020dc-4020ea LoadLibraryExA 531->541 542 4020cf-4020da GetModuleHandleA 531->542 534 4022e5-4022ea call 401423 532->534 540 402ac5-402ad4 534->540 544 4020ec-4020f9 GetProcAddress 541->544 545 402165-402167 541->545 542->541 542->544 547 402138-40213d call 4054a9 544->547 548 4020fb-402101 544->548 545->534 552 402142-402145 547->552 550 402103-40210f call 401423 548->550 551 40211a-40212e 548->551 550->552 561 402111-402118 550->561 554 402133-402136 551->554 552->540 555 40214b-402153 call 403b0e 552->555 554->552 555->540 560 402159-402160 FreeLibrary 555->560 560->540 561->552
                      APIs
                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                      • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                      • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                      • String ID: pVn
                      • API String ID: 2987980305-3982165967
                      • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                      • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                      • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                      • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                      Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 562 405f4a-405f54 563 405f55-405f80 GetTickCount GetTempFileNameA 562->563 564 405f82-405f84 563->564 565 405f8f-405f91 563->565 564->563 566 405f86 564->566 567 405f89-405f8c 565->567 566->567
                      APIs
                      • GetTickCount.KERNEL32 ref: 00405F5E
                      • GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CountFileNameTempTick
                      • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                      • API String ID: 1716503409-678247507
                      • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                      • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                      • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                      • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                      Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 568 403a7c-403a8b 569 403a97-403a9f 568->569 570 403a8d-403a90 CloseHandle 568->570 571 403aa1-403aa4 CloseHandle 569->571 572 403aab-403ab7 call 403ad9 call 405b4a 569->572 570->569 571->572 576 403abc-403abd 572->576
                      APIs
                      • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                      • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                      Strings
                      • C:\Users\user\AppData\Local\Temp\nsiA896.tmp\, xrefs: 00403AB2
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsiA896.tmp\
                      • API String ID: 2962429428-2492047386
                      • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                      • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                      • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                      • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                      Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 661 4015bb-4015ce call 402c39 call 405db3 666 4015d0-4015e3 call 405d45 661->666 667 401624-401627 661->667 675 4015e5-4015e8 666->675 676 4015fb-4015fc call 4059ec 666->676 669 401652-4022ea call 401423 667->669 670 401629-401644 call 401423 call 406388 SetCurrentDirectoryA 667->670 683 402ac5-402ad4 669->683 670->683 690 40164a-40164d 670->690 675->676 680 4015ea-4015f1 call 405a09 675->680 682 401601-401603 676->682 680->676 693 4015f3-4015f9 call 40596f 680->693 686 401605-40160a 682->686 687 40161a-401622 682->687 691 401617 686->691 692 40160c-401615 GetFileAttributesA 686->692 687->666 687->667 690->683 691->687 692->687 692->691 693->682
                      APIs
                        • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                      • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                        • Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,000000F0), ref: 0040163C
                      Strings
                      • C:\Users\user\AppData\Roaming\GamePall, xrefs: 00401631
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                      • String ID: C:\Users\user\AppData\Roaming\GamePall
                      • API String ID: 1892508949-2308708932
                      • Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                      • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                      • Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                      • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                      Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 697 405e08-405e23 call 406388 call 405db3 702 405e25-405e27 697->702 703 405e29-405e36 call 406666 697->703 704 405e7b-405e7d 702->704 707 405e42-405e44 703->707 708 405e38-405e3c 703->708 709 405e5a-405e63 lstrlenA 707->709 708->702 710 405e3e-405e40 708->710 711 405e65-405e79 call 405d1a GetFileAttributesA 709->711 712 405e46-405e4d call 4066ff 709->712 710->702 710->707 711->704 717 405e54-405e55 call 405d61 712->717 718 405e4f-405e52 712->718 717->709 718->702 718->717
                      APIs
                        • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                        • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                        • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                      • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
                      • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 00405E6B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                      • String ID: C:\
                      • API String ID: 3248276644-3404278061
                      • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                      • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                      • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                      • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                      Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                      • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                      • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                      • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                      Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                      • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                      • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                      • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                      Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                      • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                      • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                      • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                      Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                      • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                      • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                      • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                      Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                      • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                      • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                      • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                      Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                      • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                      • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                      • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                      Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                      • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                      • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                      • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                      Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • GetTickCount.KERNEL32 ref: 00403319
                        • Part of subcall function 00403484: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                      • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                      • SetFilePointer.KERNELBASE(155C335B,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: FilePointer$CountTick
                      • String ID:
                      • API String ID: 1092082344-0
                      • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                      • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                      • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                      • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                      Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                      • RegSetValueExA.KERNELBASE(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                      • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CloseValuelstrlen
                      • String ID:
                      • API String ID: 2655323295-0
                      • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                      • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                      • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                      • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                      Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                      • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                      • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Enum$CloseValue
                      • String ID:
                      • API String ID: 397863658-0
                      • Opcode ID: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                      • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                      • Opcode Fuzzy Hash: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                      • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                      Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00405EF6: GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                        • Part of subcall function 00405EF6: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                      • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B1D
                      • DeleteFileA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B25
                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: File$Attributes$DeleteDirectoryRemove
                      • String ID:
                      • API String ID: 1655745494-0
                      • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                      • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                      • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                      • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                      Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                      • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                      • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                      • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                      Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
                      • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CloseQueryValue
                      • String ID:
                      • API String ID: 3356406503-0
                      • Opcode ID: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                      • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                      • Opcode Fuzzy Hash: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                      • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                      Download Yara Rule
                      APIs
                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                      • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                      • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                      • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                      Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                      • CloseHandle.KERNEL32(?), ref: 00405A57
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CloseCreateHandleProcess
                      • String ID:
                      • API String ID: 3712363035-0
                      • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                      • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                      • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                      • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                      Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                      • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                        • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                        • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                        • Part of subcall function 00406726: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                      • String ID:
                      • API String ID: 2547128583-0
                      • Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                      • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                      • Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                      • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                      Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: File$AttributesCreate
                      • String ID:
                      • API String ID: 415043291-0
                      • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                      • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                      • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                      • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                      Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                      • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                      • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                      • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                      • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                      Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryA.KERNELBASE(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                      • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CreateDirectoryErrorLast
                      • String ID:
                      • API String ID: 1375471231-0
                      • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                      • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                      • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                      • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                      Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                      • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                      • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                      • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                      Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0040C475,0040B8F8,00403405,0040B8F8,0040C475,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID:
                      • API String ID: 3934441357-0
                      • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                      • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                      • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                      • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                      Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                      • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                      • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                      • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                      Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                      • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                      • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                      • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                      Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                        • Part of subcall function 00405A21: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                        • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                        • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                        • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                        • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                      • String ID:
                      • API String ID: 2972824698-0
                      • Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                      • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                      • Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                      • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                      Non-executed Functions

                      Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000403), ref: 00405646
                      • GetDlgItem.USER32(?,000003EE), ref: 00405655
                      • GetClientRect.USER32(?,?), ref: 00405692
                      • GetSystemMetrics.USER32(00000002), ref: 00405699
                      • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                      • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                      • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                      • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                      • ShowWindow.USER32(?,00000008), ref: 00405735
                      • GetDlgItem.USER32(?,000003EC), ref: 00405756
                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                      • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                      • GetDlgItem.USER32(?,000003F8), ref: 00405664
                        • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                      • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                      • CloseHandle.KERNEL32(00000000), ref: 004057BC
                      • ShowWindow.USER32(00000000), ref: 004057DF
                      • ShowWindow.USER32(?,00000008), ref: 004057E6
                      • ShowWindow.USER32(00000008), ref: 0040582C
                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                      • CreatePopupMenu.USER32 ref: 00405871
                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                      • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                      • OpenClipboard.USER32(00000000), ref: 0040590B
                      • EmptyClipboard.USER32 ref: 00405911
                      • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                      • GlobalLock.KERNEL32(00000000), ref: 00405924
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                      • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                      • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                      • CloseClipboard.USER32 ref: 00405962
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                      • String ID: PB
                      • API String ID: 590372296-3196168531
                      • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                      • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                      • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                      • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                      Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                      • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                      • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                      • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                      • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                      • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                      • DeleteObject.GDI32(00000110), ref: 00404F0B
                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                      • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                        • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                      • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                      • ShowWindow.USER32(?,00000005), ref: 0040506C
                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                      • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                      • GlobalFree.KERNEL32(?), ref: 0040524A
                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                      • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                      • ShowWindow.USER32(?,00000000), ref: 004053F4
                      • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                      • ShowWindow.USER32(00000000), ref: 00405406
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                      • String ID: $M$N
                      • API String ID: 2564846305-813528018
                      • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                      • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                      • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                      • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                      Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                      • ShowWindow.USER32(?), ref: 00403F67
                      • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                      • ShowWindow.USER32(?,00000004), ref: 00403F92
                      • DestroyWindow.USER32 ref: 00403FA6
                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                      • GetDlgItem.USER32(?,?), ref: 00403FDE
                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                      • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                      • GetDlgItem.USER32(?,00000001), ref: 004040A4
                      • GetDlgItem.USER32(?,00000002), ref: 004040AE
                      • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                      • GetDlgItem.USER32(?,00000003), ref: 004041BF
                      • ShowWindow.USER32(00000000,?), ref: 004041E0
                      • EnableWindow.USER32(?,?), ref: 004041F2
                      • EnableWindow.USER32(?,?), ref: 0040420D
                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                      • EnableMenuItem.USER32(00000000), ref: 0040422A
                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                      • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                      • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                      • ShowWindow.USER32(?,0000000A), ref: 004043C2
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                      • String ID: PB
                      • API String ID: 1860320154-3196168531
                      • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                      • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                      • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                      • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                      Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                      • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                      • GetSysColor.USER32(?), ref: 0040463E
                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                      • lstrlenA.KERNEL32(?), ref: 0040465F
                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                      • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                      • SendMessageA.USER32(00000000), ref: 004046E8
                      • GetDlgItem.USER32(?,000003E8), ref: 00404713
                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                      • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                      • SetCursor.USER32(00000000), ref: 0040476B
                      • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                      • SetCursor.USER32(00000000), ref: 00404784
                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                      • String ID: N$6B
                      • API String ID: 3103080414-649610290
                      • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                      • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                      • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                      • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                      Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                      • GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B
                        • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                        • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                      • GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
                      • wsprintfA.USER32 ref: 00406066
                      • GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                      • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                      • GlobalFree.KERNEL32(00000000), ref: 0040614F
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                        • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                        • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                      • String ID: %s=%s$[Rename]$*B$.B$.B
                      • API String ID: 2171350718-3836630945
                      • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                      • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                      • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                      • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                      • BeginPaint.USER32(?,?), ref: 00401047
                      • GetClientRect.USER32(?,?), ref: 0040105B
                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                      • DeleteObject.GDI32(?), ref: 004010ED
                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                      • SelectObject.GDI32(00000000,?), ref: 00401140
                      • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                      • DeleteObject.GDI32(?), ref: 00401165
                      • EndPaint.USER32(?,?), ref: 0040116E
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                      • String ID: F
                      • API String ID: 941294808-1304234792
                      • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                      • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                      • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                      • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                      Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                      • SetWindowTextA.USER32(00000000,?), ref: 00404910
                      • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                      • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420D50), ref: 004049FE
                      • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 00404A0A
                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                        • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                        • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                        • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                        • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                        • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                      • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                        • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                        • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                        • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                      • String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$PB
                      • API String ID: 2624150263-3665957329
                      • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                      • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                      • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                      • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                      Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                      • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                      • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                      • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                      • String ID: 4/@
                      • API String ID: 2531174081-3101945251
                      • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                      • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                      • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                      • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                      Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                      • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                      • CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                      • CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                      Strings
                      • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
                      • *?|<>/":, xrefs: 004066AE
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Char$Next$Prev
                      • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 589700163-1678727643
                      • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                      • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                      • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                      • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                      Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
                      • GetTickCount.KERNEL32 ref: 00402EF3
                      • wsprintfA.USER32 ref: 00402F21
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                        • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                        • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                        • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                        • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                      • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                      • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                        • Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,0000D822), ref: 00402EB6
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                      • String ID: ... %d%%$#Vh%.@
                      • API String ID: 722711167-1706192003
                      • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                      • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                      • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                      • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                      Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                      • GetSysColor.USER32(00000000), ref: 004044C7
                      • SetTextColor.GDI32(?,00000000), ref: 004044D3
                      • SetBkMode.GDI32(?,?), ref: 004044DF
                      • GetSysColor.USER32(?), ref: 004044F2
                      • SetBkColor.GDI32(?,?), ref: 00404502
                      • DeleteObject.GDI32(?), ref: 0040451C
                      • CreateBrushIndirect.GDI32(?), ref: 00404526
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                      • String ID:
                      • API String ID: 2320649405-0
                      • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                      • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                      • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                      • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                      Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                      • GetMessagePos.USER32 ref: 00404D7B
                      • ScreenToClient.USER32(?,?), ref: 00404D95
                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Message$Send$ClientScreen
                      • String ID: f
                      • API String ID: 41195575-1993550816
                      • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                      • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                      • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                      • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                      Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                      • GetLastError.KERNEL32 ref: 004059C6
                      • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                      • GetLastError.KERNEL32 ref: 004059E5
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                      • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 3449924974-2369717338
                      • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                      • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                      • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                      • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                      Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                      Download Yara Rule
                      APIs
                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                      • wsprintfA.USER32 ref: 00402E74
                      • SetWindowTextA.USER32(?,?), ref: 00402E84
                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Text$ItemTimerWindowwsprintf
                      • String ID: unpacking data: %d%%$verifying installer: %d%%
                      • API String ID: 1451636040-1158693248
                      • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                      • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                      • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                      • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                      Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                      • wsprintfA.USER32 ref: 00404CF4
                      • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: ItemTextlstrlenwsprintf
                      • String ID: %u.%u%s%s$PB
                      • API String ID: 3540041739-838025833
                      • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                      • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                      • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                      • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                      Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CloseEnum$DeleteValue
                      • String ID:
                      • API String ID: 1354259210-0
                      • Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                      • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                      • Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                      • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                      Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,?), ref: 00401D7E
                      • GetClientRect.USER32(?,?), ref: 00401DCC
                      • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                      • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                      • DeleteObject.GDI32(00000000), ref: 00401E20
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                      • String ID:
                      • API String ID: 1849352358-0
                      • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                      • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                      • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                      • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                      Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(?), ref: 00401E38
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                      • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                      • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CapsCreateDeviceFontIndirectRelease
                      • String ID:
                      • API String ID: 3808545654-0
                      • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                      • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                      • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                      • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                      Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: MessageSend$Timeout
                      • String ID: !
                      • API String ID: 1777923405-2657877971
                      • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                      • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                      • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                      • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                      Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                      • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CharPrevlstrcatlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\
                      • API String ID: 2659869361-3081826266
                      • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                      • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                      • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                      • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                      Function 00401B87 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GlobalFree.KERNEL32(006E5670), ref: 00401BF6
                      • GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C08
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Global$AllocFree
                      • String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$pVn
                      • API String ID: 3394109436-713061468
                      • Opcode ID: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
                      • Instruction ID: d16732292a7d53aa36264d1983316191a85a40c43d81ca2894a5c6bdb3dae948
                      • Opcode Fuzzy Hash: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
                      • Instruction Fuzzy Hash: 6921A872600208ABC720EB65CEC495E73E8EB89314765493BF502F72E1DB7CA8518B9D
                      Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                      • CharNextA.USER32(00000000), ref: 00405DC6
                      • CharNextA.USER32(00000000), ref: 00405DDA
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CharNext
                      • String ID: C:\
                      • API String ID: 3213498283-3404278061
                      • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                      • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                      • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                      • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                      Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                      Strings
                      • C:\Users\user\AppData\Roaming\GamePall, xrefs: 00402238
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID: C:\Users\user\AppData\Roaming\GamePall
                      • API String ID: 123533781-2308708932
                      • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                      • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                      • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                      • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                      Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 0040544C
                      • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                        • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: Window$CallMessageProcSendVisible
                      • String ID:
                      • API String ID: 3748168415-3916222277
                      • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                      • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                      • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                      • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                      Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00406527,80000002), ref: 004062B5
                      • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530), ref: 004062C0
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CloseQueryValue
                      • String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                      • API String ID: 3356406503-2798812489
                      • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                      • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                      • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                      • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                      Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: CharPrevlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 2709904686-47812868
                      • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                      • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                      • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                      • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                      Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                      • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                      • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                      Memory Dump Source
                      • Source File: 0000000B.00000002.3373599818.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 0000000B.00000002.3373568822.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373632112.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373661700.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000B.00000002.3373757467.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                      Similarity
                      • API ID: lstrlen$CharNextlstrcmpi
                      • String ID:
                      • API String ID: 190613189-0
                      • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                      • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                      • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                      • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                      Execution Graph

                      Execution Coverage:8.3%
                      Dynamic/Decrypted Code Coverage:73%
                      Signature Coverage:0%
                      Total number of Nodes:74
                      Total number of Limit Nodes:3
                      execution_graph 61371 61d341a0 61372 61d341ad 61371->61372 61374 61d341c8 61371->61374 61373 61d341b7 FindResourceW 61372->61373 61372->61374 61373->61374 61302 256d3f0 61303 256d436 GetCurrentProcess 61302->61303 61305 256d481 61303->61305 61306 256d488 GetCurrentThread 61303->61306 61305->61306 61307 256d4c5 GetCurrentProcess 61306->61307 61308 256d4be 61306->61308 61309 256d4fb 61307->61309 61308->61307 61310 256d523 GetCurrentThreadId 61309->61310 61311 256d554 61310->61311 61324 256b0b0 61325 256b0d2 61324->61325 61326 256b1b9 61325->61326 61329 688e3e0 61325->61329 61334 688e410 61325->61334 61330 688e3e5 61329->61330 61331 688e3a7 61330->61331 61338 688e054 61330->61338 61331->61326 61333 688e4f2 61333->61326 61335 688e426 61334->61335 61336 688e054 2 API calls 61335->61336 61337 688e4f2 61336->61337 61337->61326 61339 688e05f 61338->61339 61343 688f038 61339->61343 61348 688f023 61339->61348 61340 688e6c7 61340->61333 61344 688f063 61343->61344 61345 688f112 61344->61345 61353 6a903a8 61344->61353 61357 6a90398 61344->61357 61349 688f063 61348->61349 61350 688f112 61349->61350 61351 6a903a8 2 API calls 61349->61351 61352 6a90398 2 API calls 61349->61352 61351->61350 61352->61350 61361 6a903f8 61353->61361 61365 6a903ec 61353->61365 61358 6a903dd 61357->61358 61359 6a903f8 CreateWindowExW 61357->61359 61360 6a903ec CreateWindowExW 61357->61360 61358->61345 61359->61358 61360->61358 61362 6a90460 CreateWindowExW 61361->61362 61364 6a9051c 61362->61364 61364->61364 61366 6a903f8 CreateWindowExW 61365->61366 61368 6a9051c 61366->61368 61368->61368 61375 256e020 61376 256e06b SystemParametersInfoA 61375->61376 61377 256e09f 61376->61377 61320 6358a000 61321 6358a009 61320->61321 61322 6358a0a7 DuplicateHandle 61321->61322 61323 6358a150 61321->61323 61322->61321 61288 61dab3c0 61290 61dab3d0 61288->61290 61289 61dab400 61290->61289 61292 61dab440 61290->61292 61294 61dab4cf 61292->61294 61293 61dab75e 61293->61289 61294->61293 61295 61dab718 CertControlStore 61294->61295 61295->61293 61296 61dab733 CertControlStore 61295->61296 61296->61293 61297 61dab749 CertControlStore 61296->61297 61297->61293 61298 61e89e73 61299 61e89e91 CreateWindowExW 61298->61299 61301 61e89f5b 61299->61301 61312 bee700 61313 bee718 61312->61313 61314 bee772 61313->61314 61316 6a911a0 61313->61316 61317 6a911b0 61316->61317 61317->61314 61318 6a91262 CallWindowProcW 61317->61318 61319 6a91211 61317->61319 61318->61319 61319->61314 61369 256d638 DuplicateHandle 61370 256d6ce 61369->61370

                      Executed Functions

                      Function 63D37460 Relevance: 1.9, Strings: 1, Instructions: 616COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063D37000.00000020.00000001.01000000.00000015.sdmp, Offset: 63D37000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63d37000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: H#Vj
                      • API String ID: 0-73999843
                      • Opcode ID: ca1c17bcb72a556e67e308ba237f2a1db908a371c8c95d68d3144bcc6a9d057e
                      • Instruction ID: a274d90fd165a70fa8007c63e83b9a1672bcc6f351cf580f27a0a99839e6781b
                      • Opcode Fuzzy Hash: ca1c17bcb72a556e67e308ba237f2a1db908a371c8c95d68d3144bcc6a9d057e
                      • Instruction Fuzzy Hash: 7B329DB1A00B41DFD724CF28C480A16B7F1FF8A714F148A2DE89A87A51EB70F955CB91
                      Function 61DAB440 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 379encryptionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 375 61dab440-61dab58d call 61dab300 384 61dab593-61dab59c 375->384 385 61dab827-61dab858 call 61dab220 375->385 384->385 387 61dab5a2-61dab5af 384->387 387->385 389 61dab5b5-61dab5c2 387->389 389->385 390 61dab5c8-61dab5d5 389->390 390->385 392 61dab5db-61dab72d CertControlStore 390->392 412 61dab89c-61dab8a8 392->412 413 61dab733-61dab743 CertControlStore 392->413 415 61dab75e-61dab772 412->415 419 61dab8ae-61dab8e6 412->419 413->412 414 61dab749-61dab758 CertControlStore 413->414 414->412 414->415 417 61dab77c-61dab77e 415->417 418 61dab774-61dab776 415->418 421 61dab867-61dab870 417->421 422 61dab784-61dab797 417->422 418->417 420 61dab8eb-61dab929 418->420 419->415 421->422 424 61dab799-61dab79d 422->424 425 61dab7a3-61dab7a5 422->425 424->420 424->425 428 61dab7ab-61dab7c2 425->428 429 61dab859-61dab862 425->429 431 61dab7ce-61dab7d0 428->431 432 61dab7c4-61dab7c8 428->432 429->428 434 61dab7d6-61dab7ed 431->434 435 61dab875-61dab87e 431->435 432->420 432->431 437 61dab7ef-61dab7f1 434->437 438 61dab7f7-61dab7f9 434->438 435->434 437->420 437->438 440 61dab7ff-61dab816 438->440 441 61dab883-61dab88c 438->441 443 61dab818-61dab81a 440->443 444 61dab820-61dab822 440->444 441->440 443->420 443->444 446 61dab891-61dab89a 444->446 447 61dab824 444->447 446->447 447->385
                      APIs
                      • CertControlStore.CRYPT32(?,00000000,00000004,00000000), ref: 61DAB725
                      • CertControlStore.CRYPT32(?,00000000,00000004,00000000), ref: 61DAB73B
                      • CertControlStore.CRYPT32(?,00000000,00000004,00000000), ref: 61DAB750
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061DAB000.00000020.00000001.01000000.00000015.sdmp, Offset: 61DAB000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61dab000_GamePall.jbxd
                      Similarity
                      • API ID: CertControlStore
                      • String ID: Hi$Hi
                      • API String ID: 423745413-1739031191
                      • Opcode ID: 3d912c476badd5450e711841858c173de5cc7e41b99945da135f34d300b3a884
                      • Instruction ID: 2f8c168a49c7f938cd2b4463c95ed20a4d43aaa2b7ec0daf95e95287b11e680d
                      • Opcode Fuzzy Hash: 3d912c476badd5450e711841858c173de5cc7e41b99945da135f34d300b3a884
                      • Instruction Fuzzy Hash: 3ED180B1A04345ABD711DF29CC40B6BBBE8AF99304F10852EF888D3641EB74E555CBE2
                      Function 0256D3F0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 558 256d3f0-256d47f GetCurrentProcess 562 256d481-256d487 558->562 563 256d488-256d4bc GetCurrentThread 558->563 562->563 564 256d4c5-256d4f9 GetCurrentProcess 563->564 565 256d4be-256d4c4 563->565 567 256d502-256d51d call 256d5c0 564->567 568 256d4fb-256d501 564->568 565->564 571 256d523-256d552 GetCurrentThreadId 567->571 568->567 572 256d554-256d55a 571->572 573 256d55b-256d5bd 571->573 572->573
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0256D46E
                      • GetCurrentThread.KERNEL32 ref: 0256D4AB
                      • GetCurrentProcess.KERNEL32 ref: 0256D4E8
                      • GetCurrentThreadId.KERNEL32 ref: 0256D541
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3447496175.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_2560000_GamePall.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 67851a9a05c27a41392f9043245888959fe4f4057b8f15d2baa5ed8696880d7f
                      • Instruction ID: 0b0eab9f4c52ff92fe98aa81e9ab3108c1660c70f0c4351cc5e0c3a21f6cb727
                      • Opcode Fuzzy Hash: 67851a9a05c27a41392f9043245888959fe4f4057b8f15d2baa5ed8696880d7f
                      • Instruction Fuzzy Hash: 255146B0A012098FDB14DFA9D548BEEBBF1FB88304F20C459E019A7360D775A944CF66
                      Function 0256D3E0 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 580 256d3e0-256d47f GetCurrentProcess 584 256d481-256d487 580->584 585 256d488-256d4bc GetCurrentThread 580->585 584->585 586 256d4c5-256d4f9 GetCurrentProcess 585->586 587 256d4be-256d4c4 585->587 589 256d502-256d51d call 256d5c0 586->589 590 256d4fb-256d501 586->590 587->586 593 256d523-256d552 GetCurrentThreadId 589->593 590->589 594 256d554-256d55a 593->594 595 256d55b-256d5bd 593->595 594->595
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0256D46E
                      • GetCurrentThread.KERNEL32 ref: 0256D4AB
                      • GetCurrentProcess.KERNEL32 ref: 0256D4E8
                      • GetCurrentThreadId.KERNEL32 ref: 0256D541
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3447496175.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_2560000_GamePall.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: f5cc56ed99aa07b01079aacbf7d579e9dbddf7616c691783624c8e53eea39ec0
                      • Instruction ID: 743390847506345d3fa401b2a016844c6808f7ba4c51dc32a10c214c8fdae316
                      • Opcode Fuzzy Hash: f5cc56ed99aa07b01079aacbf7d579e9dbddf7616c691783624c8e53eea39ec0
                      • Instruction Fuzzy Hash: 3A5144B4A01249CFDB18CFA9D548BAEBBF1FB88304F248459D019A7361D735A944CF66
                      Function 61E89E73 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 602 61e89e73-61e89ea6 605 61e89ea8-61e89ec0 602->605 606 61e89ecf-61e89edb 602->606 607 61e89ee2-61e89f52 CreateWindowExW 605->607 608 61e89ec2-61e89ecd 605->608 606->607 613 61e89f5b-61e89f5f 607->613 608->607 614 61e89f8b-61e89f90 613->614 615 61e89f61-61e89f65 613->615 617 61e89f92-61e89f94 614->617 618 61e89f96-61e89fab 614->618 615->614 616 61e89f67-61e89f7d 615->616 616->614 617->618 619 61e89fdc-61e89fef 617->619 624 61e89fad-61e89fc6 618->624 625 61e89fd3-61e89fda 618->625 625->619
                      APIs
                      • CreateWindowExW.USER32(?,00000000,00000000,?,?,?,80000000,80000000,?,00000000,00000000), ref: 61E89F4A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061E89000.00000020.00000001.01000000.00000015.sdmp, Offset: 61E89000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61e89000_GamePall.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID: ?$P
                      • API String ID: 716092398-1257622509
                      • Opcode ID: 2cd1c83a6a6366611a0d2b315b4092931f8529458b59de60ec0b2a272fd99836
                      • Instruction ID: 5c2ad2c2f2efa3ff2ad5b091bd60f37e3dd9731bd7446dba61357e8385aac70b
                      • Opcode Fuzzy Hash: 2cd1c83a6a6366611a0d2b315b4092931f8529458b59de60ec0b2a272fd99836
                      • Instruction Fuzzy Hash: 3E419071D003099FDB01CFA4C8446AEBBF5FF99308F20852DE84997351E7369906CB51
                      Function 068824D8 Relevance: 5.0, Strings: 4, Instructions: 10COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 629 68824d8-68824e5 630 68824ea 629->630 631 68824e7 629->631 631->630
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: $^q$$^q$$^q$$^q
                      • API String ID: 0-2125118731
                      • Opcode ID: f71982d03347a4c9aa90d1900cbb2bb96d2ddcc6d956086cceb3c1b3816b2799
                      • Instruction ID: bcf1cefc2e68ccccd48a422a0511076b9d0624854ff83eb8b23af1e3dae4c551
                      • Opcode Fuzzy Hash: f71982d03347a4c9aa90d1900cbb2bb96d2ddcc6d956086cceb3c1b3816b2799
                      • Instruction Fuzzy Hash: C4C0923010A2A05FD3A39B6888F1C80BFB1EF131413164A8BE4C2DB752C11A5D97CB71
                      Function 0688A7C8 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1038 688a7c8-688a7d6 1039 688a7dc-688a7e9 1038->1039 1040 688a881-688a8a6 1038->1040 1043 688a8ad-688a8f5 1039->1043 1044 688a7ef-688a7f5 1039->1044 1040->1043 1066 688a8fd-688a971 1043->1066 1045 688a7f9-688a805 1044->1045 1046 688a7f7 1044->1046 1049 688a807-688a80b 1045->1049 1046->1049 1051 688a80d-688a811 1049->1051 1052 688a84f-688a85a 1049->1052 1057 688a813-688a81c 1051->1057 1058 688a834 1051->1058 1054 688a85c-688a863 1052->1054 1055 688a865-688a869 1052->1055 1060 688a870-688a872 1054->1060 1055->1060 1061 688a81e-688a821 1057->1061 1062 688a823-688a830 1057->1062 1059 688a837-688a844 1058->1059 1059->1052 1071 688a846-688a84c 1059->1071 1065 688a878-688a87e 1060->1065 1060->1066 1064 688a832 1061->1064 1062->1064 1064->1059 1080 688a98d 1066->1080 1081 688a973-688a979 1066->1081 1084 688a98f-688a9a2 1080->1084 1082 688a97b-688a97d 1081->1082 1083 688a97f-688a981 1081->1083 1085 688a98b 1082->1085 1083->1085 1087 688a9a9-688a9bb 1084->1087 1085->1084
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: (bq$Hbq$Hbq
                      • API String ID: 0-2817990774
                      • Opcode ID: ef5f39e4040e8a0fe0d5373c065009a6a06b5e725e1c817f4cd661cc8492c8cb
                      • Instruction ID: 128180d798725630109d824d20926883d4470d5c1ffc8b6e230510ddc91624e7
                      • Opcode Fuzzy Hash: ef5f39e4040e8a0fe0d5373c065009a6a06b5e725e1c817f4cd661cc8492c8cb
                      • Instruction Fuzzy Hash: 7B51B134B401599FC758EF68D84097E7BB6EFC8751B10816AE906DB390DB31AD42CBE1
                      Function 068896F0 Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: (bq$$^q$$^q
                      • API String ID: 0-1326376818
                      • Opcode ID: 874c9438086fa3077ab25da6b889d9b17f0936ea4d19faaed5c9028d817b2f6c
                      • Instruction ID: 62cea7061d28283386dff4b3139610a2e4f4bcd7faa010f17933ed443922119a
                      • Opcode Fuzzy Hash: 874c9438086fa3077ab25da6b889d9b17f0936ea4d19faaed5c9028d817b2f6c
                      • Instruction Fuzzy Hash: 0C21A1306182598FEFB87E2DC8E137D73B8EB06354F184467E247CA992D95DE8C1C286
                      Function 61E89E30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,00000000,00000000,?,?,?,80000000,80000000,?,00000000,00000000), ref: 61E89F4A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061E89000.00000020.00000001.01000000.00000015.sdmp, Offset: 61E89000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61e89000_GamePall.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID: ?
                      • API String ID: 716092398-1684325040
                      • Opcode ID: d8f73b68c26d7c63281a243a4250aff37a96b74f35d2042f33cd33979b1585c6
                      • Instruction ID: 2ec764a51eaab6784472f6bc03b6637f3097f488d95648ef348fe51037d3a63a
                      • Opcode Fuzzy Hash: d8f73b68c26d7c63281a243a4250aff37a96b74f35d2042f33cd33979b1585c6
                      • Instruction Fuzzy Hash: 8641C171D003099BEB05CFA4C8446AEBBF5BF99318F24861EE81997391E736D906CB50
                      Function 61D929AF Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061D92000.00000020.00000001.01000000.00000015.sdmp, Offset: 61D92000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61d92000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: l `j$p `j
                      • API String ID: 0-676915400
                      • Opcode ID: 4458b6d34b1cbc6a9e155d15c8895e0c816c544e1c5820a502253fbc70514000
                      • Instruction ID: 4522bbafd601b6e46f435eac159e89dbf69d9deff8fbcfdea79d585f992dc282
                      • Opcode Fuzzy Hash: 4458b6d34b1cbc6a9e155d15c8895e0c816c544e1c5820a502253fbc70514000
                      • Instruction Fuzzy Hash: AF51D3B19047018FD320DF38D9517ABBBE5BFD9318F018E0EE49A87251EB74A590CB92
                      Function 059FDC91 Relevance: 2.5, Strings: 2, Instructions: 24COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: $^q$$^q
                      • API String ID: 0-355816377
                      • Opcode ID: 466ba0dfe5cb3d893955705fa50cb0cf22165f99c5713ebc2684f8a5defd9483
                      • Instruction ID: 872d70c46f1f35eef0c8bc186aa3152601902b7ba0bad639e0c1464179868a5f
                      • Opcode Fuzzy Hash: 466ba0dfe5cb3d893955705fa50cb0cf22165f99c5713ebc2684f8a5defd9483
                      • Instruction Fuzzy Hash: BAF03930B00208DFCB18CF05D4848A97BB2BB84355B60C465E6064F714C730E945CB80
                      Function 63C462B8 Relevance: 2.1, Strings: 1, Instructions: 840COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063C44000.00000020.00000001.01000000.00000015.sdmp, Offset: 63C44000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63c44000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: nla
                      • API String ID: 0-2599129657
                      • Opcode ID: 355c47837272623b4682af69bbf8507ec722728f9ba70a3d2147e62f5eedf789
                      • Instruction ID: 8671e28901f9281896ce7b2fc8079b5746bd3c0df33308e26487b3d090508ffe
                      • Opcode Fuzzy Hash: 355c47837272623b4682af69bbf8507ec722728f9ba70a3d2147e62f5eedf789
                      • Instruction Fuzzy Hash: 695215B1E006589FEB14DF58C880B9EBBB5FB45B04F148129F815EB346FB31A9518BA1
                      Function 6358A000 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(00000000,?,?,FFFFFFFF,00000000,00000000,00000003), ref: 6358A0B6
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.000000006358A000.00000020.00000001.01000000.00000015.sdmp, Offset: 6358A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6358a000_GamePall.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: e646741689dda02cb0a649230cb58a06b4e270a67b8eaad52a392c31099b6301
                      • Instruction ID: aa344e0508073e1a2b6c4ecf9804fbe1cdaba7421de604899685c438181905b8
                      • Opcode Fuzzy Hash: e646741689dda02cb0a649230cb58a06b4e270a67b8eaad52a392c31099b6301
                      • Instruction Fuzzy Hash: 4251DD75900219EFDF10DFA4D884BEEBBB6FF49754F140029E801AB281D732AC45CBA0
                      Function 06A903EC Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A9050A
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4727029481.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6a90000_GamePall.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 8d4597df1a1dea9d55c16219b1e10d5b20826ab153a09b7d1a33679028c06572
                      • Instruction ID: 5bcbb55837d2e471dee155bf9d9ee26b65f3cee841623c4f3a7fa08df39141a7
                      • Opcode Fuzzy Hash: 8d4597df1a1dea9d55c16219b1e10d5b20826ab153a09b7d1a33679028c06572
                      • Instruction Fuzzy Hash: DC51BDB1D00349AFDF14CFA9C884ADEBBB5BF48350F24812AE819AB210D7719885CF91
                      Function 06A903F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A9050A
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4727029481.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6a90000_GamePall.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 595dd50f2b447ce7c48a3edf7542deb87cd8f714f993734c0056a8827703b81c
                      • Instruction ID: be1ad361e7b52eb987483eac81c05e09784994bc03b74f58525bf9cf40e98e67
                      • Opcode Fuzzy Hash: 595dd50f2b447ce7c48a3edf7542deb87cd8f714f993734c0056a8827703b81c
                      • Instruction Fuzzy Hash: 7E419DB1D10309DFDF14DF99C884ADEBBB5BF48350F24812AE419AB250D7719985CF91
                      Function 06A911C8 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 06A91289
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4727029481.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6a90000_GamePall.jbxd
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: 965f502804d6818533d32a00eb6360218e69edaa7cdc2e74db1d65bb4108f810
                      • Instruction ID: 8ca1dc71b3f07fa6a6661c358d952e1b2a1f7264641e4175aa733c49ca218f1d
                      • Opcode Fuzzy Hash: 965f502804d6818533d32a00eb6360218e69edaa7cdc2e74db1d65bb4108f810
                      • Instruction Fuzzy Hash: 1F413DB8900349CFDB54DF99C488AAABBF5FF89314F24C499D519AB321D335A841CFA0
                      Function 059FCD48 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xbq
                      • API String ID: 0-63242295
                      • Opcode ID: e1561ff40a330273ce7549ed719901aae289bc139d39be58cd86fb990f3bf3e3
                      • Instruction ID: 231812006633d6dce303760431bd49074d688dfcb8fb907d1892ed3fb3244e76
                      • Opcode Fuzzy Hash: e1561ff40a330273ce7549ed719901aae289bc139d39be58cd86fb990f3bf3e3
                      • Instruction Fuzzy Hash: F7E10734A04219DFCB18DF59C4889A9BBF6FF89341F5584A5E90A9F224D730EE85CF90
                      Function 0256D630 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0256D6BF
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3447496175.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_2560000_GamePall.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: cf513173b7c84e856dfe1f914ad9bccd827eaeb8d0db4679f12d56d88e9fc7bc
                      • Instruction ID: 4b34fb153ec95e6ceb9f226534399a2fb906b2578bb2577b2331c13fb51c4b7f
                      • Opcode Fuzzy Hash: cf513173b7c84e856dfe1f914ad9bccd827eaeb8d0db4679f12d56d88e9fc7bc
                      • Instruction Fuzzy Hash: EE2116B5900208DFDB10CF9AD584ADEBFF4FB48310F14841AE918A7310D3789944CF64
                      Function 0256D638 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0256D6BF
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3447496175.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_2560000_GamePall.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 49e779b6b11e3407a842eb5794b38612cc9879f70a1d1eed6098d299ad420878
                      • Instruction ID: 66749a8462eb83085970b1abe7e207f6d645b17a0d5ed93b91f33298e9d7e98f
                      • Opcode Fuzzy Hash: 49e779b6b11e3407a842eb5794b38612cc9879f70a1d1eed6098d299ad420878
                      • Instruction Fuzzy Hash: 8821E4B5900258DFDB10CF9AD984AEEBFF4FB48320F14841AE918A3350D374A940CFA5
                      Function 0256D1CC Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0256E090
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3447496175.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_2560000_GamePall.jbxd
                      Similarity
                      • API ID: InfoParametersSystem
                      • String ID:
                      • API String ID: 3098949447-0
                      • Opcode ID: 1b2d9912719db8c3331b808dc5539305dc3db4cd16fc86b4d31d0aa6e50e8519
                      • Instruction ID: b41f5a492cdf0c1d55fb47f3b7734346290d7dbc19a813b98dde66dd6c3f07c6
                      • Opcode Fuzzy Hash: 1b2d9912719db8c3331b808dc5539305dc3db4cd16fc86b4d31d0aa6e50e8519
                      • Instruction Fuzzy Hash: 501176B5900648CFCB20CF9AC849BEEBFF4FB48320F108469E958A3250D374A944CFA4
                      Function 0256E020 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0256E090
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3447496175.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_2560000_GamePall.jbxd
                      Similarity
                      • API ID: InfoParametersSystem
                      • String ID:
                      • API String ID: 3098949447-0
                      • Opcode ID: 55a7cceb6d85db81b31c9e0950ec108784dcdd22c204036f37c25f8a10bd3414
                      • Instruction ID: de3722ffe9df358736737729f3eaf85a1f7847dac5d3863b0c076c4145fc6f0e
                      • Opcode Fuzzy Hash: 55a7cceb6d85db81b31c9e0950ec108784dcdd22c204036f37c25f8a10bd3414
                      • Instruction Fuzzy Hash: 781137B6900249CFDB20DF99C545BEEBFF4FB48320F208429E558A7250D375A944CFA4
                      Function 61D341A0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceW.KERNEL32(?,?,69DFF0BA), ref: 61D341BE
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061D34000.00000020.00000001.01000000.00000015.sdmp, Offset: 61D34000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61d34000_GamePall.jbxd
                      Similarity
                      • API ID: FindResource
                      • String ID:
                      • API String ID: 1635176832-0
                      • Opcode ID: 35e10335c14be9930f81ffdcaad44f7ab67a9c9739d5f696bf545c761a20670a
                      • Instruction ID: bce9ca8f182ad785ca413e39bca740ce9d1c2a4f9ab93e28f3698b5de443cbc5
                      • Opcode Fuzzy Hash: 35e10335c14be9930f81ffdcaad44f7ab67a9c9739d5f696bf545c761a20670a
                      • Instruction Fuzzy Hash: 3AF0AFB1304211AFAB009F75DD84E6B3BACFB972527024A2AFC05C3200DB79EC008770
                      Function 61CE0C40 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061CE0000.00000020.00000001.01000000.00000015.sdmp, Offset: 61CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61ce0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: PUU
                      • API String ID: 0-1328610248
                      • Opcode ID: ae36cd75743861f939b56f37e0ea784d00ae6401e9f459dfcbd9b2abab51ff7b
                      • Instruction ID: 261e0f76ec81097ad1b43aada4822f3baa18dc76f73716ac8c492179e800acbf
                      • Opcode Fuzzy Hash: ae36cd75743861f939b56f37e0ea784d00ae6401e9f459dfcbd9b2abab51ff7b
                      • Instruction Fuzzy Hash: C0A1BD71700605CFDB108F65C899A6EBBB2FF85314B208929D45ADB694EF31F921CBD2
                      Function 06888610 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4c^q
                      • API String ID: 0-396817635
                      • Opcode ID: 1a141eee4010b9f60d27ac93131a6edd0f77a344a3bc1ea9194ca21c7b1fef86
                      • Instruction ID: 4238aabcd6945a59321a9d8abd1f8f792cdc63a5a7cb9df1fcbf5e129e241d39
                      • Opcode Fuzzy Hash: 1a141eee4010b9f60d27ac93131a6edd0f77a344a3bc1ea9194ca21c7b1fef86
                      • Instruction Fuzzy Hash: D3617D75A00109DFDF44EF64C890AAEB7F6FF88300F548669EA05DB256DB31E945CB90
                      Function 0688E410 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: %#l^
                      • API String ID: 0-3776100006
                      • Opcode ID: a6d521e64c21131334d86afcff1a7d9375c856a9534e496fc60d02d358396892
                      • Instruction ID: 41d9c792164847a006041b651f377668910d99cb7913fe88a54c85142af18521
                      • Opcode Fuzzy Hash: a6d521e64c21131334d86afcff1a7d9375c856a9534e496fc60d02d358396892
                      • Instruction Fuzzy Hash: 436183382007409FD366EF38D994A19BBF2FB89314B0585A9E549CB376EB34ED45CB90
                      Function 0688B780 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hbq
                      • API String ID: 0-1245868
                      • Opcode ID: 52a6f0dbd0c43875b9c29879e87a10c9632ef19b49364a15545def22014552e2
                      • Instruction ID: 1ac84a57e75740029bc7674cc5ff75ddb682c8283410380785df0838a080a924
                      • Opcode Fuzzy Hash: 52a6f0dbd0c43875b9c29879e87a10c9632ef19b49364a15545def22014552e2
                      • Instruction Fuzzy Hash: 1831CE35B002448FC785EB79D860A2EBBF6FFD5300B2584AAE045DB392CE359D02CB91
                      Function 06888600 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4c^q
                      • API String ID: 0-396817635
                      • Opcode ID: bb17269a9336cbd1b2121d89fd054ab790e67c8e8eefc9974820750caf5dd5c6
                      • Instruction ID: 7d65a13f3f77762a4427013d1a9ba19279ee01efaa94583f4ae3d7e3427f387c
                      • Opcode Fuzzy Hash: bb17269a9336cbd1b2121d89fd054ab790e67c8e8eefc9974820750caf5dd5c6
                      • Instruction Fuzzy Hash: 9F318D75A00105DFDB94EF58C890AAEB7B6FF88300F54826AE905DB292D771EC45CB91
                      Function 63CE10B0 Relevance: .5, Instructions: 523COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063CE1000.00000020.00000001.01000000.00000015.sdmp, Offset: 63CE1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63ce1000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 36e3d773647880db5b2940f4081cd27e8058b00963abfdf2e56aaefe293756f3
                      • Instruction ID: 93c333e2ebb9ce444187069c10dca023a9bf40d9ff6fc431fb38b79d7b5ce5fe
                      • Opcode Fuzzy Hash: 36e3d773647880db5b2940f4081cd27e8058b00963abfdf2e56aaefe293756f3
                      • Instruction Fuzzy Hash: 4302E371A042559FEB04CF5DC880A5ABBB5FF45B14B1881A9F819EF301FB32E852CB91
                      Function 6201E98F Relevance: .4, Instructions: 355COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.000000006201E000.00000020.00000001.01000000.00000015.sdmp, Offset: 6201E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6201e000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e63a8953f82ce09b1b7824d181526e347e14edce605aee563c5a828700f8ed2a
                      • Instruction ID: d28fc3132714a37b8c8163ec73bd98900a1c18af92904ab221e69e5428f56313
                      • Opcode Fuzzy Hash: e63a8953f82ce09b1b7824d181526e347e14edce605aee563c5a828700f8ed2a
                      • Instruction Fuzzy Hash: 66C134B1E042596BEF10DFE4EC94BAEBFB2AF8070CF444029E8066B241DB716905D792
                      Function 63571082 Relevance: .3, Instructions: 304COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063571000.00000020.00000001.01000000.00000015.sdmp, Offset: 63571000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63571000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d370a90228cfcaf4da3784c142b44944fe54fe230a8e3eb37d240da750c50567
                      • Instruction ID: 0ae9abe0fbe9dc5320bd965a5e691442ade5621212a6336d2fc7b113767d5667
                      • Opcode Fuzzy Hash: d370a90228cfcaf4da3784c142b44944fe54fe230a8e3eb37d240da750c50567
                      • Instruction Fuzzy Hash: 9FC1F272B00A019FD718CF29D890BEAB7F6FF85314F19866DE91997791D734A901CB80
                      Function 63CA4A50 Relevance: .3, Instructions: 292COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063CA4000.00000020.00000001.01000000.00000015.sdmp, Offset: 63CA4000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63ca4000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fde7a647354ceee8f528be2cb3baeab6b8f80c1b8aa05bb85453e4248fe7bc29
                      • Instruction ID: 3377d04d39342c3fb1cc997d8e1bf0b4754b112e158cc9e1940493aee4f807cd
                      • Opcode Fuzzy Hash: fde7a647354ceee8f528be2cb3baeab6b8f80c1b8aa05bb85453e4248fe7bc29
                      • Instruction Fuzzy Hash: B4B18D70A043069BD701DF28C880A5AB7F5FF8AB08F054969F999DB351FB31E945CB92
                      Function 63D371BD Relevance: .3, Instructions: 279COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063D37000.00000020.00000001.01000000.00000015.sdmp, Offset: 63D37000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63d37000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c21673d72bdaa6eb5c0b68d887648b83630b8e954de1741651052b05af93a40a
                      • Instruction ID: d77726e248612ab966cb9e89873c25b7650edafb9c1df4822125d41f70cd4186
                      • Opcode Fuzzy Hash: c21673d72bdaa6eb5c0b68d887648b83630b8e954de1741651052b05af93a40a
                      • Instruction Fuzzy Hash: 2BB19CB5A04B11EFD714CF28C590A1AB7F1BF4AB18F054A2DE8AA87B41D730F954CB91
                      Function 059FCD38 Relevance: .3, Instructions: 268COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 62c4407510966e5d8839f7c335905bf297c13a1bf7e4936958f336bfa0cd7b74
                      • Instruction ID: 60ee339554d60ae26285d48dccd30c7ccc8aab01073cca7413f3a02ace7bd61f
                      • Opcode Fuzzy Hash: 62c4407510966e5d8839f7c335905bf297c13a1bf7e4936958f336bfa0cd7b74
                      • Instruction Fuzzy Hash: 47C1D434A04218DFCB18DF59C4889A8BBF6BF49345F5584E9E90A9F264D730EE85CF90
                      Function 6359720D Relevance: .2, Instructions: 236COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063597000.00000020.00000001.01000000.00000015.sdmp, Offset: 63597000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63597000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c574351dd16ef0a4fa1bd918f14d2cbc6a9c5117fee3c14673334e43d025fd49
                      • Instruction ID: e0b779a84deb49048883e25305a36eaf9c2dea8b74378686f0b8d3452dccdd98
                      • Opcode Fuzzy Hash: c574351dd16ef0a4fa1bd918f14d2cbc6a9c5117fee3c14673334e43d025fd49
                      • Instruction Fuzzy Hash: 6CA154346083809FEB15CF14D194A5EBBF2BF8AB14F08485EF89957391C771AD49CB82
                      Function 623BA800 Relevance: .2, Instructions: 204COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.00000000623BA000.00000020.00000001.01000000.00000015.sdmp, Offset: 623BA000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_623ba000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6931a48bb8a7ec195192f4eb740cd6192570b046c468551077e7a0dc46973373
                      • Instruction ID: 9774a0735daa5db0392a8ce1ee3decae0864408e744675f00b253c8998e37b9c
                      • Opcode Fuzzy Hash: 6931a48bb8a7ec195192f4eb740cd6192570b046c468551077e7a0dc46973373
                      • Instruction Fuzzy Hash: 9B51F771704B089FE714CF24C860B2A77B5FF9631AF15491DD56A8BA81E732E902C7D2
                      Function 068827C8 Relevance: .2, Instructions: 193COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ef04fa40c8b3daa50ba3816b857045e9c24840a12bb364a632a99a9099cc0635
                      • Instruction ID: a0a7c619ddd24257c76877c0701d42b96acae006e62856eeb8288c2ee21af7f5
                      • Opcode Fuzzy Hash: ef04fa40c8b3daa50ba3816b857045e9c24840a12bb364a632a99a9099cc0635
                      • Instruction Fuzzy Hash: 9E71923070021ADFCB45EF68D8948AEBBBAFF98301B108469E606C7355DB34DE46CB90
                      Function 619D7D66 Relevance: .2, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.00000000619D7000.00000020.00000001.01000000.00000015.sdmp, Offset: 619D7000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_619d7000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a25e17105c9405d17e22e5aa6b368483b3df63ec54533ed898bf6ee39554c1dd
                      • Instruction ID: 1aa0e46ccd8e994f92fe5fb1fece1b9c8659bb36fdaa844e792a5384d9bf3cd2
                      • Opcode Fuzzy Hash: a25e17105c9405d17e22e5aa6b368483b3df63ec54533ed898bf6ee39554c1dd
                      • Instruction Fuzzy Hash: 07617E7190070AAFDB14DF65C881AAEBBF4FF99308F00891DF446A7250EB30A945CBA0
                      Function 06881730 Relevance: .2, Instructions: 170COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b333152ae182fa65ba67eefb882e93c6aca94d418fafd2cc798302c5c64276e8
                      • Instruction ID: 10131e468959c3cc8a167b9053aba42d5118e8029e76cc023bd01a643c5871dd
                      • Opcode Fuzzy Hash: b333152ae182fa65ba67eefb882e93c6aca94d418fafd2cc798302c5c64276e8
                      • Instruction Fuzzy Hash: 1E516A35B60215CFCB48EF69D8498ADB7B6FF89B5171180AAE506CB361DB30EC05CB90
                      Function 06886688 Relevance: .2, Instructions: 162COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2cc380d84ab64a09c3709bfe2c49d81682e0e4f7ea007873c5e23f67c5cd2862
                      • Instruction ID: 5525e9dfb3524be1188de76688b0c1ddac81641c8c43ce3194afacefa89e0506
                      • Opcode Fuzzy Hash: 2cc380d84ab64a09c3709bfe2c49d81682e0e4f7ea007873c5e23f67c5cd2862
                      • Instruction Fuzzy Hash: B3417632B042608FCB64BB6DE88047EBBF5EFC5751B15417BE685C7241EA259C81C7D1
                      Function 63D37444 Relevance: .2, Instructions: 159COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063D37000.00000020.00000001.01000000.00000015.sdmp, Offset: 63D37000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63d37000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 713f201286dfc9a4b98cc07cc77ac233a1326c36d09f5c1a056ab0b6b79a42d8
                      • Instruction ID: 02c4fdb2fa9527256e1d790c1adf6fbbcc85e293c2c24dbb19b8ba8247243f00
                      • Opcode Fuzzy Hash: 713f201286dfc9a4b98cc07cc77ac233a1326c36d09f5c1a056ab0b6b79a42d8
                      • Instruction Fuzzy Hash: FC6165B0600B01EFD724CF28C594A56B7F1FF49B14B148A2DE8AA87B91D730F865CB90
                      Function 619D7DD0 Relevance: .2, Instructions: 158COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.00000000619D7000.00000020.00000001.01000000.00000015.sdmp, Offset: 619D7000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_619d7000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9d4c78849fa575634aa3cb557faaa736f112bba4cf16ebeae9377429d9215836
                      • Instruction ID: 16c7d37fcf48fbac13938aaaec9057c0262f98c393b6750192d9fa93ceb98cca
                      • Opcode Fuzzy Hash: 9d4c78849fa575634aa3cb557faaa736f112bba4cf16ebeae9377429d9215836
                      • Instruction Fuzzy Hash: E0516F75D0060AAFDB04DFA5C891AEEBBB9FF95718F008519F406A7240EB34B955CBE0
                      Function 63C58DE0 Relevance: .2, Instructions: 154COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063C58000.00000020.00000001.01000000.00000015.sdmp, Offset: 63C58000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63c58000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1a2a87196a92214de7f62c37d30cf78b9d3fd7ea3d98adcc985499ba9cee3621
                      • Instruction ID: 02c75946733d104d5269e250dd8abdefb1d7b7a23cad79ee0bcdd73a00b0c6fc
                      • Opcode Fuzzy Hash: 1a2a87196a92214de7f62c37d30cf78b9d3fd7ea3d98adcc985499ba9cee3621
                      • Instruction Fuzzy Hash: BB5113B16083008FC704DF28C49061EBBF5BF89A24F454A2DF896DB351EB34E959CB86
                      Function 61E75B00 Relevance: .1, Instructions: 141COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061E75000.00000020.00000001.01000000.00000015.sdmp, Offset: 61E75000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61e75000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5872468f4ae31c4d06e29d391ab7083f4b00ac235f8d18c7740df538026af360
                      • Instruction ID: 8b731f6b2af6a2e5a2cd418f8fee022bb3031213efb6f85821d9d270ed4e76fe
                      • Opcode Fuzzy Hash: 5872468f4ae31c4d06e29d391ab7083f4b00ac235f8d18c7740df538026af360
                      • Instruction Fuzzy Hash: BE517471D052699BEB21CF21CD48B9EBBB9EF96308F2082DAE44D66101DB719AC5CF41
                      Function 61DA3D50 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061DA3000.00000020.00000001.01000000.00000015.sdmp, Offset: 61DA3000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61da3000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 029cffc8973ac6aa0d2658e6727707cc1512d5731325fb3e20d6bb1886f735d8
                      • Instruction ID: feae3f93bab3790139b5314b0e99615d4bdce3b01e3425e46487244d9e1ec272
                      • Opcode Fuzzy Hash: 029cffc8973ac6aa0d2658e6727707cc1512d5731325fb3e20d6bb1886f735d8
                      • Instruction Fuzzy Hash: 30415571A08345BFEB04CF58C850FAFBFB6AF85B18F48C219E9456B251DB309A06C791
                      Function 61DA3D37 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061DA3000.00000020.00000001.01000000.00000015.sdmp, Offset: 61DA3000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61da3000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1ad277d2f3fa479916d1588e6ccd5f4cbcefbd9c0088bec2012ceb9d086238a
                      • Instruction ID: 33734d6e6a504a03ff6b5aef1fae81171a3d60a6012559b6f93fe3185b745f80
                      • Opcode Fuzzy Hash: e1ad277d2f3fa479916d1588e6ccd5f4cbcefbd9c0088bec2012ceb9d086238a
                      • Instruction Fuzzy Hash: 09417831908345BFDB0ACF58C851BBEBFB6AF85318F04C25DD8555B2A2D7708A16C791
                      Function 620363A0 Relevance: .1, Instructions: 121COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000062036000.00000020.00000001.01000000.00000015.sdmp, Offset: 62036000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_62036000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b47b5627d445958ebff1879061bd68ce467ec7a554c24eb1f89deef843e8bf3e
                      • Instruction ID: 6ac1b3f5864d8c44e88d4379593b125f1a934b959c4d60cdde52e97b9f71c848
                      • Opcode Fuzzy Hash: b47b5627d445958ebff1879061bd68ce467ec7a554c24eb1f89deef843e8bf3e
                      • Instruction Fuzzy Hash: 4F417B70A0031A9FDB15CF25C990BABBBF5FF88718F10841EE91A9B245D770E811DBA0
                      Function 059FF29F Relevance: .1, Instructions: 120COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1dc2e30c967f0ceff020708207412235380770fcd6a86d212af33a3aa7540732
                      • Instruction ID: 2c5640d887fa1e7e43646b23eb3b434cf6ee845b729a35951486fd075816e5f6
                      • Opcode Fuzzy Hash: 1dc2e30c967f0ceff020708207412235380770fcd6a86d212af33a3aa7540732
                      • Instruction Fuzzy Hash: 0E413935B101008FCB44EF68C598A6DBBE6FF89714B6980A9E506DB3B6CB75EC05CB50
                      Function 059FF2B0 Relevance: .1, Instructions: 120COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a8fab7967929327dddf7a4c9084829987c8eae2182d5ba5c398012ecd10d1572
                      • Instruction ID: e2d5d2c17c6593fc79ef4d4588a10f6b21075bf77284f88848de004273558aeb
                      • Opcode Fuzzy Hash: a8fab7967929327dddf7a4c9084829987c8eae2182d5ba5c398012ecd10d1572
                      • Instruction Fuzzy Hash: 47412534B101008FCB44EF69D498A6DBBE6FF89714B2980A9E506DB3B6CB75EC05CB51
                      Function 06885700 Relevance: .1, Instructions: 109COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ca83c33dd9f05f88211244958446cc47bc3c275a008a848089fc45f5b3503fb9
                      • Instruction ID: 391787f43a8608f6e80dcb4f93611ce15e32097d465f06c7170701bc0dd8cddb
                      • Opcode Fuzzy Hash: ca83c33dd9f05f88211244958446cc47bc3c275a008a848089fc45f5b3503fb9
                      • Instruction Fuzzy Hash: DC41C331A64249CFDB80EB28C8947FEBFB1AF49304F0881A9D106EB392C6759D44CB61
                      Function 63CC7C65 Relevance: .1, Instructions: 105COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063CC7000.00000020.00000001.01000000.00000015.sdmp, Offset: 63CC7000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63cc7000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a8a17d33a05ce7fe76aff6224e59ba74c346d9aa1b3fd1deccc39a742360fb4
                      • Instruction ID: c5acfdafa098e56fab5c895e4a5b6e34c5704cbef4a4368ed69d47eb5edfa9b6
                      • Opcode Fuzzy Hash: 8a8a17d33a05ce7fe76aff6224e59ba74c346d9aa1b3fd1deccc39a742360fb4
                      • Instruction Fuzzy Hash: F741C371A04B408FCB20DF29C490A1ABBF1FF46B18B00895DF896CB651E734F844DB52
                      Function 059FBFC7 Relevance: .1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1278b89ce76024674301e1ed4387af57c839fa93bb972edaafc5d3bce7763af7
                      • Instruction ID: 9ad19ae111137b19881f59faffc377e6198c039141f139767a0872386f754023
                      • Opcode Fuzzy Hash: 1278b89ce76024674301e1ed4387af57c839fa93bb972edaafc5d3bce7763af7
                      • Instruction Fuzzy Hash: 2231A235E042169FCF10DF68D8809AAFBB1FF49320B1585A9E529EB251D331ED42CF80
                      Function 059FFAF4 Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d9f82de86e5db42728ee68cb8c9f65a3da599a9a92c54d252dcf0f0e14989c2d
                      • Instruction ID: 366c433d49cc9686ea6491b11524e989db197dbececca8e450eb5067e1d12c65
                      • Opcode Fuzzy Hash: d9f82de86e5db42728ee68cb8c9f65a3da599a9a92c54d252dcf0f0e14989c2d
                      • Instruction Fuzzy Hash: 2F41E3B1D012489FCB14DFA9D595ADEFBFABF48304F24802AE409BB250CB749945CF95
                      Function 059FF154 Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a73f93b473cb647a35f7109df434999c2b8e6c69eb7a61b7a5c6c4176b545664
                      • Instruction ID: e940f4047af5fc662b2aa9ba03e693a6ab1bef0dd8046435e12c142b2e2725d5
                      • Opcode Fuzzy Hash: a73f93b473cb647a35f7109df434999c2b8e6c69eb7a61b7a5c6c4176b545664
                      • Instruction Fuzzy Hash: 8441F2B1D01258DFCB14CFA9D985BDEBBFABF48304F24802AE405AB250DB75A945CF94
                      Function 059FFB00 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 49c9cfe9bcf1592d02fd60a3dec153e51ae1cd65a08e130fd29ff06ea8a71684
                      • Instruction ID: e9eac9bad3d0452cd0d76b3cd99a8e027eaf5cbaac43a6e9a6fe5dd245468922
                      • Opcode Fuzzy Hash: 49c9cfe9bcf1592d02fd60a3dec153e51ae1cd65a08e130fd29ff06ea8a71684
                      • Instruction Fuzzy Hash: 0941D2B1D012589FCB14DFA9D594ADEFBFABF48304F24802AE409BB250CB749945CF54
                      Function 059FF99C Relevance: .1, Instructions: 89COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fb53fbbb7ca0da395a61961d9d6208e12ce25651ef91e58fa9241c905e4021d8
                      • Instruction ID: 9f28bb024a03f260136bb4d507bf6b16ef167af531b9c0d22c9885c735c21e00
                      • Opcode Fuzzy Hash: fb53fbbb7ca0da395a61961d9d6208e12ce25651ef91e58fa9241c905e4021d8
                      • Instruction Fuzzy Hash: 704115B1D01248DFCB14DFA9C984BDEBBF6AF88304F14802AE505BB250DB749945CF61
                      Function 059FF9A8 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c680fc3183cd655ad5296c79c82567ba95df47aeb4cdc39ec9af9d07a0c95b69
                      • Instruction ID: 9931f816ee0e447c5f87bb6f6fc87cb76a097ea8a2ea5930f4d1b5943d496c19
                      • Opcode Fuzzy Hash: c680fc3183cd655ad5296c79c82567ba95df47aeb4cdc39ec9af9d07a0c95b69
                      • Instruction Fuzzy Hash: 2B31F5B1D01258DFCB14DFA9C984BDEBBFAAF48304F14802AE505AB250DB749945CFA5
                      Function 059FF160 Relevance: .1, Instructions: 86COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 79c3e87a9cbfee328f39981347b528e49dc87fa942d24fcb5a821f62448a9b14
                      • Instruction ID: df257e806d738ab998361b06cdfa99b6641043b9ad0e3097591d54af190c2d35
                      • Opcode Fuzzy Hash: 79c3e87a9cbfee328f39981347b528e49dc87fa942d24fcb5a821f62448a9b14
                      • Instruction Fuzzy Hash: 933100B1D01248DFCB14CFA9C984BDEBBFABF48304F24802AE409AB290DB745945CF94
                      Function 61CE0B40 Relevance: .1, Instructions: 82COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061CE0000.00000020.00000001.01000000.00000015.sdmp, Offset: 61CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61ce0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1586aba6e1b49a8676edd8b9693e0b7476ef3f7ff3ab1874307f1d54166a456e
                      • Instruction ID: ce665295a12cafa4dd81794796dd6b8ffb073d0b49d3c76265907b7466259059
                      • Opcode Fuzzy Hash: 1586aba6e1b49a8676edd8b9693e0b7476ef3f7ff3ab1874307f1d54166a456e
                      • Instruction Fuzzy Hash: 552103366047099BCB00CF24C884A9EBBB1FFC9358F05852DE85A8B241EB30E954CBC6
                      Function 63597607 Relevance: .1, Instructions: 78COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063597000.00000020.00000001.01000000.00000015.sdmp, Offset: 63597000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63597000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 730af674839f4f56c2377b386d575ae299adccd028f04495189dafc98c7b8d67
                      • Instruction ID: bac15df26b90a311d0fb63c3793688897eabe65c5422eff0ed34057f35057db5
                      • Opcode Fuzzy Hash: 730af674839f4f56c2377b386d575ae299adccd028f04495189dafc98c7b8d67
                      • Instruction Fuzzy Hash: DE214D319087959BFB22DE10E54079EBBF4AF84B54F09094EFC95672D1D730A949CB82
                      Function 09AC3104 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c27afbe9cc618e7daa131c725197695826217a8ec511729b3cc189d95a41aaf2
                      • Instruction ID: e8738d729acf1e04d6e4d49fad6fb6a357718a5063c16f5b9418656a45cc3a79
                      • Opcode Fuzzy Hash: c27afbe9cc618e7daa131c725197695826217a8ec511729b3cc189d95a41aaf2
                      • Instruction Fuzzy Hash: 572121B1600200EFCF05CF54D9C4B26BFA5FB88714F20C5ADE90A4E25ACB36D45ACBA1
                      Function 09AC2F2C Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d2a960545bce5fdf64c726b5dee335e8db35261b720027ba38dcd8dc6f870cc6
                      • Instruction ID: c6febc7d37d1a0ffe90d928ae5e8dae0ffa02547f3e898a9de05e322448caf25
                      • Opcode Fuzzy Hash: d2a960545bce5fdf64c726b5dee335e8db35261b720027ba38dcd8dc6f870cc6
                      • Instruction Fuzzy Hash: AB21D1B1504208DFDB05DF14D984B16BB65EB88B14F20C56DED094E356C736D856CAA1
                      Function 09AC3AA0 Relevance: .1, Instructions: 73COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 625d94b0956b5b4ea4fff7d42bf9c6dc99361770232b7528942f6cee21c15d1a
                      • Instruction ID: 02f9398478fdbfb337eaff1c4099337b7862de7c4c1ddb2fd66178af865b9cf8
                      • Opcode Fuzzy Hash: 625d94b0956b5b4ea4fff7d42bf9c6dc99361770232b7528942f6cee21c15d1a
                      • Instruction Fuzzy Hash: A22103B1504240EFCF04DF14C5C4B26BB65FB88B14F20C56DE90A4F252CB37D456C661
                      Function 61E5A6A0 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061E5A000.00000020.00000001.01000000.00000015.sdmp, Offset: 61E5A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61e5a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f15ed047516aa050cdd3e6c7398d2dd3b96e9b015e919675ea54518f0a1068cb
                      • Instruction ID: f681d5b21a09cf5d256fdc757c16e2ee6d0dc95ae675437ff4a834a59ba37f6e
                      • Opcode Fuzzy Hash: f15ed047516aa050cdd3e6c7398d2dd3b96e9b015e919675ea54518f0a1068cb
                      • Instruction Fuzzy Hash: 1E21A4B5A002149FDB10CF55D885DAFBBB9EF88718B05842DE9069B311E730E904CBF1
                      Function 00BED1CC Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c4042892bad2c6a7dc221576b1a994c008d601e7337d50105dc8b03c0197b523
                      • Instruction ID: 00649900ac6c842ebce0854d17918da5cd2cd61c6571e88b64a9a1367e95fc2c
                      • Opcode Fuzzy Hash: c4042892bad2c6a7dc221576b1a994c008d601e7337d50105dc8b03c0197b523
                      • Instruction Fuzzy Hash: 2B2146B5604384DFDB00DF15C5C0B26BFE5FB84314F20C6ADD9094B296C3B6D846CA62
                      Function 00BED01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3db4f83e844e1846bc45a0cbe780c4863b997ac9bf22fe336516dac9b7994c22
                      • Instruction ID: 60fefa5bed732335a233b8f71b86e12a58ae568845804e03e9114265aceaf6c1
                      • Opcode Fuzzy Hash: 3db4f83e844e1846bc45a0cbe780c4863b997ac9bf22fe336516dac9b7994c22
                      • Instruction Fuzzy Hash: 93213871504280DFCB10DF15D9D4B26BBE5FB84324F38C5ADD8494B282C3BAD847CA62
                      Function 00BEE700 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9f2f1f8e8634fdbd7f918b0213ee7e1d4087e1b4812f80aa98c6318b442107d5
                      • Instruction ID: 9ab2150cf649a6cad81e9b02aa71f6d4856697dbc2c3741c67ff3598b0ea0d91
                      • Opcode Fuzzy Hash: 9f2f1f8e8634fdbd7f918b0213ee7e1d4087e1b4812f80aa98c6318b442107d5
                      • Instruction Fuzzy Hash: 17214675604280DFCB00DF15D9C0B26BBE6FB98314F20CAADE9094B296C33ADC46CB61
                      Function 09AC248C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f0fe76bb9e16029f1a30e4403d4936b603e05636953358814df491fa05ff4dc
                      • Instruction ID: 34fb33e773ed4df0bab8508cacd348fe43e2b715920fb9667e057518868d4c0f
                      • Opcode Fuzzy Hash: 3f0fe76bb9e16029f1a30e4403d4936b603e05636953358814df491fa05ff4dc
                      • Instruction Fuzzy Hash: EA21F2B5544204EFCB05DF14DA80B27BBA5FB84B14F20C56DEC194F296C73AE446CA61
                      Function 61E5A693 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061E5A000.00000020.00000001.01000000.00000015.sdmp, Offset: 61E5A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61e5a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0ff3cac02670714b0e09c3ed381d7913f19412c431b3a178c72ef29a045223b
                      • Instruction ID: 387df4b9f045f893c3b77d037fe046d23ce2584e947e63f210caedfac5a4fe57
                      • Opcode Fuzzy Hash: d0ff3cac02670714b0e09c3ed381d7913f19412c431b3a178c72ef29a045223b
                      • Instruction Fuzzy Hash: 282184B5A00204AFDB10CF95C885DAFBBB5EF88714B01842EE9059B341E730E904CBF0
                      Function 0688E731 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 81f3a7078254c05326343b4f11d42a9f97ba6957f6da3c4c302142fde23aca46
                      • Instruction ID: 4e16ff5281050cbf3bc0ab50ea06755b2af0e5be3e5422e2f4a4e43884e5236a
                      • Opcode Fuzzy Hash: 81f3a7078254c05326343b4f11d42a9f97ba6957f6da3c4c302142fde23aca46
                      • Instruction Fuzzy Hash: B6110334B042544FCB10EF7DA4146AFBFFADF89650F1404A6EA88D7342DA619905CBE1
                      Function 059FFC68 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9c0786a728c17eff10862ef95806ae12af56681c6e28e7e01c976ccc26f4ac40
                      • Instruction ID: a3fb9dc31d692e424efb63c48f9b4cfca51a442fe617b5fbd9fcd1e8115c5d79
                      • Opcode Fuzzy Hash: 9c0786a728c17eff10862ef95806ae12af56681c6e28e7e01c976ccc26f4ac40
                      • Instruction Fuzzy Hash: 6C216F32E1071A8BDF15DF95D8505EEF7B6FF85304F14892AE905B7240EBB0A94ACB80
                      Function 00BEE3B8 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 65558e6b9c8daa43e474307185a283d4186f0968d36e474a2c5b5641ab7f1476
                      • Instruction ID: 32c508464173bba27cbafadab62da19a402df82e5f8ae652e4aef6ca522fba2c
                      • Opcode Fuzzy Hash: 65558e6b9c8daa43e474307185a283d4186f0968d36e474a2c5b5641ab7f1476
                      • Instruction Fuzzy Hash: 542105B1604280DFDB05DF15D6C4B2ABBF5FB94714F20C6ADE84A4B391C33AD846C662
                      Function 00BEFEFC Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d7efad8cfb6c040808c65458014c864b9f136e6dd76a371e964f449855e557a1
                      • Instruction ID: 18c22ffcfa77e699c79468870b13a8a6e8c962ad999146d8607dbd0947d8272e
                      • Opcode Fuzzy Hash: d7efad8cfb6c040808c65458014c864b9f136e6dd76a371e964f449855e557a1
                      • Instruction Fuzzy Hash: EF210171605281DFDB04DF14D6C4B3ABBE5EB95314F20C6BDE8094B291C33AD806C6A1
                      Function 00BEF5B8 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80776579933c509d7e80f1b3da73e4a7cfd06fcb5199b4051dbedd9e0704a2ba
                      • Instruction ID: e5873aa7889226e1d5d950ab6f21211327c7b78ec3e60168f8ad35495bb79a39
                      • Opcode Fuzzy Hash: 80776579933c509d7e80f1b3da73e4a7cfd06fcb5199b4051dbedd9e0704a2ba
                      • Instruction Fuzzy Hash: B321F3B16442819FDB04EF25D6C4B36BBE5EB94314F30C6BDD90A4B2A5C33AD846C661
                      Function 00BEDF98 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ecdcb6c29ea4007b08d0e6b35d178d51f5f0151dbd5fc6811295b0c03e63256f
                      • Instruction ID: 33275a3b9476d1c933513bf44d2b9c6aa2541a117d47b49142264e5f4c4934bb
                      • Opcode Fuzzy Hash: ecdcb6c29ea4007b08d0e6b35d178d51f5f0151dbd5fc6811295b0c03e63256f
                      • Instruction Fuzzy Hash: ED2157B0604280DFD714DF24D5C4B26BBE4FB94314F30C6ADD80A4B352C3BAD846C6A1
                      Function 00BEF688 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4c10e0c5d31f130125491aae5fff86738a48103aaa7f45d7558c9e434d9389ff
                      • Instruction ID: b54126af2f7245fd1986a7a3055a262fa00115909c5f9b203dd267070bcaa3d1
                      • Opcode Fuzzy Hash: 4c10e0c5d31f130125491aae5fff86738a48103aaa7f45d7558c9e434d9389ff
                      • Instruction Fuzzy Hash: B92132B5604281DFDB04EF24D5C0B36BBE5EB94314F20C6BDD80A4B291C73ADC46C661
                      Function 00BEF8F8 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 924d745570714c69590950c744c2fa3736201700fb8459908628ef328a032c45
                      • Instruction ID: a96f5f8b403038af09ab89473b45d2a8b66184fa73eb9cf65aa843ac63b05039
                      • Opcode Fuzzy Hash: 924d745570714c69590950c744c2fa3736201700fb8459908628ef328a032c45
                      • Instruction Fuzzy Hash: 1121F6B5504281AFD704DF25D5C4B36BBE5EB94314F20C5BDD98A4B392C33AD846C6A1
                      Function 00BEE7E8 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d3808e476eaedd1792fda6e5831fa3203b3727ec6834147558bfa71913dde4f0
                      • Instruction ID: 92bcdb82c4f3e4724e20dce08da9023130f6cf95867ecd81844debced00fd91a
                      • Opcode Fuzzy Hash: d3808e476eaedd1792fda6e5831fa3203b3727ec6834147558bfa71913dde4f0
                      • Instruction Fuzzy Hash: 242124B1604280DFDB04DF25D5C4B26BBE5EB94314F30C6BDD90A4B391C33AD846C661
                      Function 00BEF828 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 346f9ba60266db24b741611b78eebd19655a7eb921bbbe123dcd38a241b6cef7
                      • Instruction ID: fb65ac929825c529aa9100b918093b565e535a01079757bb52b4aecad4f2f5f5
                      • Opcode Fuzzy Hash: 346f9ba60266db24b741611b78eebd19655a7eb921bbbe123dcd38a241b6cef7
                      • Instruction Fuzzy Hash: 4721F0B1604281DFDB04EF25D9C4B36BBE5EB94314F20C6BDD94A4B291C33AD846C6A2
                      Function 00BEF278 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f76b078596c9118b8f6f85b461cabb0d46f2efc8814ca97d1e9aaa1208853b1
                      • Instruction ID: ff2da0e4488a453cbabcbd37126e77cf125410d26b0335674eed95a0f75a24e3
                      • Opcode Fuzzy Hash: 7f76b078596c9118b8f6f85b461cabb0d46f2efc8814ca97d1e9aaa1208853b1
                      • Instruction Fuzzy Hash: 642105B5644281DFD704DF25D5C4B3ABBE5EB94314F30C6BDE90A4B291C33AD846C661
                      Function 00BEEE68 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d3a2c2411ae7bc4beb6ee8a6477ebd46c2f0ca4b0530b02f8b86374b80c039bf
                      • Instruction ID: de0f857e346e2e6d89312d37c8986a09a642d27f38a98e49929ad2d8d9d70058
                      • Opcode Fuzzy Hash: d3a2c2411ae7bc4beb6ee8a6477ebd46c2f0ca4b0530b02f8b86374b80c039bf
                      • Instruction Fuzzy Hash: D82127B1644280DFD714DF25D5C4B26BBE5EB94314F30C6ADD90A4B395C33AE846C6A1
                      Function 63C4AC1E Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063C4A000.00000020.00000001.01000000.00000015.sdmp, Offset: 63C4A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63c4a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d25798a2c96c8f8eb8be5b3ee299b324d4a40378b9df4da9ef340189cb8f1f9
                      • Instruction ID: 1b3d755263e3645cde9cc8ccc6481f5524e0eb2a348d8413a5635d98a1073a05
                      • Opcode Fuzzy Hash: 8d25798a2c96c8f8eb8be5b3ee299b324d4a40378b9df4da9ef340189cb8f1f9
                      • Instruction Fuzzy Hash: 7B21AC35600B048FD791CF24C5557AAB7F1FF46718F05886DE89ACBA52FB32A849DB80
                      Function 0688B648 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 07a373b0d0c63cee904f0bd9b152950ea3f3f6a1c91bd75a5753968f899ab5da
                      • Instruction ID: ab836595166cafecb2ebceec865d12d472a40d57c78287057667aa263d8c2d18
                      • Opcode Fuzzy Hash: 07a373b0d0c63cee904f0bd9b152950ea3f3f6a1c91bd75a5753968f899ab5da
                      • Instruction Fuzzy Hash: B32158306447618FC715DF28D494D5ABBF2EF8531471544AAE242CB772DB32EC44CB40
                      Function 00BED002 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 096985bd11884b3083e4ecb03e97d5c8f259511b4ce85b1b34a1906e0516f635
                      • Instruction ID: 306750885ee870331f046bd5faadf255be790e406ab6b79e5be0a61380d6f72b
                      • Opcode Fuzzy Hash: 096985bd11884b3083e4ecb03e97d5c8f259511b4ce85b1b34a1906e0516f635
                      • Instruction Fuzzy Hash: 3A2184755093C08FDB12CF20D994715BFB1FB45314F29C5EAD8498B693C37A980ACB62
                      Function 635713EB Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063571000.00000020.00000001.01000000.00000015.sdmp, Offset: 63571000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63571000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34bde62ac84078a5141a6eca7dd8098e338aef709c6d42c7ba5b3ed29b2da61c
                      • Instruction ID: 8507fee8c508a79fa879eb92235340ed845e530dbb1b2ee03bd89a11d4f0e41f
                      • Opcode Fuzzy Hash: 34bde62ac84078a5141a6eca7dd8098e338aef709c6d42c7ba5b3ed29b2da61c
                      • Instruction Fuzzy Hash: CD110072A00B044FC7188A29DC41BEAB3F6FFD8325F0A853DEA0997391D634A9018B90
                      Function 09AC30FF Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b29b612565f3c29fca56b7262dcb6e7a6eb5c004aee1e4b425a9623457d3f1c5
                      • Instruction ID: 506382de56d40bd6bd3db7b2eecb2e8e86ba278461a385e6805537333a7cef49
                      • Opcode Fuzzy Hash: b29b612565f3c29fca56b7262dcb6e7a6eb5c004aee1e4b425a9623457d3f1c5
                      • Instruction Fuzzy Hash: 622158B6504240DFCF06CF50D984B16BB62FB48714F24C5A9E9094E26AC33AD46ACBA1
                      Function 059FCCA8 Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cadaeb00a73ff1882e6ba275e2e40ef031f9425cf3647f9a562de94e7cff6926
                      • Instruction ID: 4e75cace840b12c9147d35d65f9c265a6513bf08448a6eb92bbc2ca9271a22d5
                      • Opcode Fuzzy Hash: cadaeb00a73ff1882e6ba275e2e40ef031f9425cf3647f9a562de94e7cff6926
                      • Instruction Fuzzy Hash: 7211FA363101149FCB049F59E884D5E7B7AFF88761B148196FA098B375CB72DC51DBA0
                      Function 09AC2F27 Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8584e8b34059ca45f0b9382214227a81a61fed94124399a3e2ed2ae9508f89ab
                      • Instruction ID: 03cc1a8346acb3d168bf186b6928794d1dd7b13a2767d9b481ccf01e98c51e6a
                      • Opcode Fuzzy Hash: 8584e8b34059ca45f0b9382214227a81a61fed94124399a3e2ed2ae9508f89ab
                      • Instruction Fuzzy Hash: E3119AB6504244CFDB06CF14D9C4B16BF62FB84714F24C6ADE90A4E256C33AD85ACBA2
                      Function 09AC3A9B Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ba3ac9388d48d1d0907abc59679f8125cf5a58857ce11d2f015c82d4c6e0e3dd
                      • Instruction ID: a6927900453a3b9ae0729a04b93de3ef22f3fd8a077bcce197ccc6cd0850b350
                      • Opcode Fuzzy Hash: ba3ac9388d48d1d0907abc59679f8125cf5a58857ce11d2f015c82d4c6e0e3dd
                      • Instruction Fuzzy Hash: CC117CB5504280DFDF06CF14D5C8B15BB61FB84714F24C6ADE9094F266C73AD45ACB61
                      Function 00BEE6FB Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                      • Instruction ID: 6bb5c7bcff4ff68efbe8fe20a109fe9cae45968c343923d2cece87ca4f03bd8e
                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                      • Instruction Fuzzy Hash: B111DD79504280CFDB01CF10D5C4B15BFA2FB84318F24C6AADC494B696C33AD80ACB61
                      Function 00BED1C7 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                      • Instruction ID: 174cb50e93820d83c7c873ce2b091d217f2639dd21d6ad09911fd5c1558a4429
                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                      • Instruction Fuzzy Hash: 9511DD75504284DFDB01CF20D5C4B15BFA1FB84314F24C6AAD9094B256C37AD80ACB61
                      Function 09AC2487 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4740722460.0000000009AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9ac0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                      • Instruction ID: 7849643482e202f8258a13407e522034cc5a757271ab15480129473591ccb2f0
                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                      • Instruction Fuzzy Hash: B111BBB9504284DFCB02CF14D5D4B16BBA1FB84714F24C6AEEC094F2A6C33AE40ACB61
                      Function 00BEE3B3 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
                      • Instruction ID: 0fdf290f27d98d2851aa1a81a77d73cf2cd86e74ddeabd8dd5e1e6b04e21c800
                      • Opcode Fuzzy Hash: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
                      • Instruction Fuzzy Hash: 96118C75504680DFDB15CF14D6C4B19BBB1FB94318F24C6AED8494B792C33AD84ACBA2
                      Function 00BEFEF7 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
                      • Instruction ID: b4e874c4fbfcc47cfa4320090c3cb5c2549bd122933b410f00ac6f510506f551
                      • Opcode Fuzzy Hash: 04ca03276ac0ccff4c81988cf554042a47405952ec31bc816ea136efef3652f3
                      • Instruction Fuzzy Hash: E711BC75505280CFDB05CF14D6C4B26BFA1FB95318F24C6AEE8494B692C33AD80ACB92
                      Function 00BEF5B3 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction ID: b6f68566722713a0a5e3c2286ebdffc5e433564a8035f8a91a292bc0472dd85d
                      • Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction Fuzzy Hash: F211CE755042808FDB05DF24D5C4B25BBA1FB94314F24C6BEC8494B6A6C33A984ACB92
                      Function 00BEF683 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction ID: e4d6257fea65aa3b208bf11c936098481354133ad2902f93e1792a8f9a5d9c7c
                      • Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction Fuzzy Hash: F2119EB55046808FDB15DF24D5C4B25BBB1FB94314F24C6ADC8494B652C33ADC4ACB92
                      Function 00BEF8F3 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction ID: 3f3fc961c4858ecc1cbcc9c264f8c8f742f342a9c77ae9f372c264970819a8e7
                      • Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction Fuzzy Hash: C7119EB95046809FDB15DF24D5C4B25BBA1FB94314F24C6ADC8894B792C33AD84ACB92
                      Function 00BEF823 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction ID: 8d2d9448e3724137b2bbb623283bc995c454cd3d429112f4167bd7f8e539894d
                      • Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction Fuzzy Hash: 20119E75904680CFDB15DF24D5C4B25BBA1FB94314F24C6FEC8494B692C33AD84ACB92
                      Function 00BEF273 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction ID: 7921ba3be14df14084d84dfbeee92a47b0720edf508009348ff1c38150ecd8a5
                      • Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction Fuzzy Hash: 9C11A0B5504680CFDB15DF24D5C4B29BBA1FB94318F24C6BEC84A4B652C33AD84BCB92
                      Function 00BEEE63 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.3446949998.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_bed000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction ID: ebc62617e0e8b2ab042d8b4a92cc811420d61d17c5783322549fcc817b5f8dad
                      • Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
                      • Instruction Fuzzy Hash: 4D11E075504280CFEB15DF14D5C4B15BBA1FB94314F24C6ADD84A4B752C33AE84ACB92
                      Function 635973CB Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063597000.00000020.00000001.01000000.00000015.sdmp, Offset: 63597000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63597000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5490ab72da32aef438f5fde4701865b2b69f4c9ae01c492549007d36dc84322e
                      • Instruction ID: ca148b5f06a19e9f5959478bba90cc9d0d5dee73752ec488531d171ed125b5d5
                      • Opcode Fuzzy Hash: 5490ab72da32aef438f5fde4701865b2b69f4c9ae01c492549007d36dc84322e
                      • Instruction Fuzzy Hash: 7411C03190C3C69FEB15CF10E09079DBBA0EF99B58F08089AED95572D2DB20AD49CB42
                      Function 059FEEE0 Relevance: .0, Instructions: 47COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4ed860dd0c289bdfe9793b51b8384f7b8d199c98a1445ea813f1d1c542e29e2
                      • Instruction ID: 3f0efafe6cc52d908cd6f146c7b33bef879195e0d93e1bcc9c4ecbb9f63047c2
                      • Opcode Fuzzy Hash: b4ed860dd0c289bdfe9793b51b8384f7b8d199c98a1445ea813f1d1c542e29e2
                      • Instruction Fuzzy Hash: ED014C3A300614AFC7089F65E85896ABB6AFF88315B158469F906C7365CB31EC42DF90
                      Function 63CA49CD Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063CA4000.00000020.00000001.01000000.00000015.sdmp, Offset: 63CA4000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63ca4000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb1a2a2ce8449a36a27e1a7121c920adac8053a7944db3b4b024b4915f800eed
                      • Instruction ID: 56eaa97fa420b21f5f57835343743369ff090cce7374bfdb2634ea9097f19ce6
                      • Opcode Fuzzy Hash: bb1a2a2ce8449a36a27e1a7121c920adac8053a7944db3b4b024b4915f800eed
                      • Instruction Fuzzy Hash: F5012136200B088FC310CF19E980C97B7E5EF85B64B15850EF89A87700EB30F810CBA4
                      Function 63CA49D0 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063CA4000.00000020.00000001.01000000.00000015.sdmp, Offset: 63CA4000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63ca4000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 07e5c412a63c06ca24a1f9f29625a8e446122554c0f8e087a84caaa62dbf651f
                      • Instruction ID: 569ff8b144e0d52d9bd40b99d3491eebeab482af8088b5b99a4802c61f785726
                      • Opcode Fuzzy Hash: 07e5c412a63c06ca24a1f9f29625a8e446122554c0f8e087a84caaa62dbf651f
                      • Instruction Fuzzy Hash: 8101F2362047058FC310CF29D980887B7E5EF85B64B05851EF89A87300FB30F810CB64
                      Function 059FDE4A Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ec71489fb5eb35a69b28714e0f1422843e0f9af783368976c3b7ffd962bb2be5
                      • Instruction ID: b58c1b38bd3bf7b7127bf29312f905af0dbc803d8e81fd95082ab89c780dab5a
                      • Opcode Fuzzy Hash: ec71489fb5eb35a69b28714e0f1422843e0f9af783368976c3b7ffd962bb2be5
                      • Instruction Fuzzy Hash: 54F0A472504320AFD7244A46DC84F77BBEFFB94711F04882EF78682641D675E815D7A0
                      Function 63C6A400 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063C6A000.00000020.00000001.01000000.00000015.sdmp, Offset: 63C6A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63c6a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52fa1ce0381c67100728027fc19c75b2e2108d3ef6dce288e5061122e8be6cf7
                      • Instruction ID: 3bfb2f9eb49f1d7e3735ec1dc2949f351e3628210ca41870ccf99554244c4b01
                      • Opcode Fuzzy Hash: 52fa1ce0381c67100728027fc19c75b2e2108d3ef6dce288e5061122e8be6cf7
                      • Instruction Fuzzy Hash: 9A014C71A047089FC700DF29D49465EBBE4FF89324F008A2EF8999B240DB30A958CB96
                      Function 63597636 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063597000.00000020.00000001.01000000.00000015.sdmp, Offset: 63597000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63597000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b6bc08ac2499a302851648e6fefade4b819a64d3a193a74215c931efeea9c95
                      • Instruction ID: 8798f612960170a548a6d62fd359922d77eed884e06e9992b892ec55c829dc08
                      • Opcode Fuzzy Hash: 1b6bc08ac2499a302851648e6fefade4b819a64d3a193a74215c931efeea9c95
                      • Instruction Fuzzy Hash: D001D4719082859FEB01CE10A09039DB7A4EF89B14F04045EEEA4172C2CB30AD09CB82
                      Function 63597EC5 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063597000.00000020.00000001.01000000.00000015.sdmp, Offset: 63597000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63597000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8045a4a0277d554bd18ee7f281c0d48843f97ea2e301f02b0410d17cb120ebe3
                      • Instruction ID: ab51f5dbd46c603fef32e0ba5b53064a0a1786cc09afad33eb910414cc53c15d
                      • Opcode Fuzzy Hash: 8045a4a0277d554bd18ee7f281c0d48843f97ea2e301f02b0410d17cb120ebe3
                      • Instruction Fuzzy Hash: 7E01B974609380AFD701CF18C494A5ABBB2FF8A748F15494EE8989B391C771E842CB92
                      Function 0688E670 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b996b33f2fb9af4d46b5f9dd25c1938f308c30dab91ac6453cce98e23bbddcf
                      • Instruction ID: 48d22b4195143d1231171176099827f5030082c8bbc515c0f5461ffe82eda4bd
                      • Opcode Fuzzy Hash: 1b996b33f2fb9af4d46b5f9dd25c1938f308c30dab91ac6453cce98e23bbddcf
                      • Instruction Fuzzy Hash: A20119B1A043548F8794DF2ED88085AFBE5FF8D61034142AFEA49CB722D770A941CBA5
                      Function 059FDE58 Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4a6cc573d12d7c49f1f10f56f71d12fdda361c8a134b03fe738ee053fffb3d19
                      • Instruction ID: 2b645b9464631074b11de0248d78c9962aba1b8a4684f00b63e271c8bb637158
                      • Opcode Fuzzy Hash: 4a6cc573d12d7c49f1f10f56f71d12fdda361c8a134b03fe738ee053fffb3d19
                      • Instruction Fuzzy Hash: 6EF0C2316007209FD7245B16E884E77BBFAFF94711B00882DF68243A50CA75E812C7A0
                      Function 640D3EC0 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.00000000640D3000.00000020.00000001.01000000.00000015.sdmp, Offset: 640D3000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_640d3000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a881a544e69525621e8e6714dab103f375e621a6147a1b3fd6529ba45096963
                      • Instruction ID: 596b52fea364f089acbb95778fcb4850f50456cb4ee61087063553488bdef370
                      • Opcode Fuzzy Hash: 6a881a544e69525621e8e6714dab103f375e621a6147a1b3fd6529ba45096963
                      • Instruction Fuzzy Hash: 50F062726007049FD335CF45E801B56B7F8EF81B15F10842EE29A9B9D0D7F4A845CB84
                      Function 640D3EB6 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.00000000640D3000.00000020.00000001.01000000.00000015.sdmp, Offset: 640D3000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_640d3000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 49b4563cbb4677bc0e8c6cc9793c49ec8ecdaeee6caebe29d592ff9defa762a7
                      • Instruction ID: 3b06ed85040e5ba6c04e8cb9bf1ea2209dcd7810eb0cd71cc8fae09ce7564f84
                      • Opcode Fuzzy Hash: 49b4563cbb4677bc0e8c6cc9793c49ec8ecdaeee6caebe29d592ff9defa762a7
                      • Instruction Fuzzy Hash: DCF0B4B26007059FD3348F45E802B96B7F8EF81B15F10481FE2998B9D1D7B4A885CB85
                      Function 63597EB0 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063597000.00000020.00000001.01000000.00000015.sdmp, Offset: 63597000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63597000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4f4e9dd2fb86fec542d5df0471123bbf4025209b795a53e66fc79ce552c408cb
                      • Instruction ID: 075e85051a9b3665b944dec58c1a6ac709ba0b65dca901298a574dc55439eb5c
                      • Opcode Fuzzy Hash: 4f4e9dd2fb86fec542d5df0471123bbf4025209b795a53e66fc79ce552c408cb
                      • Instruction Fuzzy Hash: D1019A786483809FD610CF18C494A1ABBE2FBC9B14F14490AE89997390D771E841CB82
                      Function 0688C68A Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2765b21ea16f3e8fef50ce4353fad2fbd121a81f7a3f00ff7d8c2c6eee209b68
                      • Instruction ID: e410a65b3b76ae53e902ad2e017ef7227acca042ed575562213faf38c897a5bf
                      • Opcode Fuzzy Hash: 2765b21ea16f3e8fef50ce4353fad2fbd121a81f7a3f00ff7d8c2c6eee209b68
                      • Instruction Fuzzy Hash: 31F04F30201A019FC711EB28E9549AABBF1FF81705B0586B9E0458B67BDB35ED49CBD1
                      Function 0688E6D0 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 188f642c8dc497e082a87dbf221fec7ede1f59c9432145a7dc5abbed70958567
                      • Instruction ID: dbf1bf6b6c02c4f618491e80cec9c294e52f9fa06acf8efe18e22c108940c899
                      • Opcode Fuzzy Hash: 188f642c8dc497e082a87dbf221fec7ede1f59c9432145a7dc5abbed70958567
                      • Instruction Fuzzy Hash: F1F0E5213442941FD651A63C19246BFBF9E8BC1A60B1909B2E745C7355DDA1CC06C3F4
                      Function 0688A4D0 Relevance: .0, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e2d6bd54b79846bd874dc329bc7bd3ee132e75cadce746476715c352dd23157d
                      • Instruction ID: 356cf3bfee707e6d1e433c405407be39ffb17fc06c400401e1a7825164c361fb
                      • Opcode Fuzzy Hash: e2d6bd54b79846bd874dc329bc7bd3ee132e75cadce746476715c352dd23157d
                      • Instruction Fuzzy Hash: E6E09B333401546F4714998FE8C4C6EB79DFBD91713504037F608C7251CA25DC45C760
                      Function 059FC000 Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 111a81e52386344a91eecf9451bef5fedc74bac118a9e4248a899cafc16f3048
                      • Instruction ID: 7de1f5f9c90dbe65db52d6fc0a55f435476846e02b3ae3109b46d357a8800dbf
                      • Opcode Fuzzy Hash: 111a81e52386344a91eecf9451bef5fedc74bac118a9e4248a899cafc16f3048
                      • Instruction Fuzzy Hash: 42F01430D0031ADFCB44DFA9C9405AABBB6FF48300F208869C56AA7250D335AA42CF80
                      Function 0688B6E7 Relevance: .0, Instructions: 30COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 29c4595b7f912d17c2ab4e4740a13a26f9d144650acc38d85b9aef356b737fdc
                      • Instruction ID: 0ff1d318af94fc74fcccae1ea8616f560a3e50965a8cc7ae88a52f2a5dcc3ca6
                      • Opcode Fuzzy Hash: 29c4595b7f912d17c2ab4e4740a13a26f9d144650acc38d85b9aef356b737fdc
                      • Instruction Fuzzy Hash: F6E092353452405FC3159B69DC15D5A7BF9EFCAA11B0500ABF645C73B2DE219C04C7A0
                      Function 059FFC58 Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 28ecbc5ae8c750fdf19aeca069077e991dfff178051185fc262c51c7fbd0ed2e
                      • Instruction ID: 2ec904e9c5ecb0c760986f1244e08aba04d2d9f9c8ccd176a522f011fd3e34ea
                      • Opcode Fuzzy Hash: 28ecbc5ae8c750fdf19aeca069077e991dfff178051185fc262c51c7fbd0ed2e
                      • Instruction Fuzzy Hash: E9E022BBF0012893DF208198DC513EEB32AF7D8361F048936D602A3344EBB0A9054780
                      Function 63C6A540 Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063C6A000.00000020.00000001.01000000.00000015.sdmp, Offset: 63C6A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63c6a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: febd73d7f479ac0a95972855e0cbe470e2b8d1c6b6520c90b57c5aefdb7b9776
                      • Instruction ID: e1b340f8f61e86017603b14e741edaf181027e33a1d14a5968497510a34660a7
                      • Opcode Fuzzy Hash: febd73d7f479ac0a95972855e0cbe470e2b8d1c6b6520c90b57c5aefdb7b9776
                      • Instruction Fuzzy Hash: FFE01271E00218BBCF04EF69C85599EBBBDEF8A268B504069EC0A97241DB317E108BD5
                      Function 059FE369 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 71a88bb9ff873cbec1a293b7b99cb205002294a5ecbaf681691e244a462e00f7
                      • Instruction ID: 3a6207171ff70e8f403a9d48e968c5d9e8933bae5f62588baa0629ffbae4fae9
                      • Opcode Fuzzy Hash: 71a88bb9ff873cbec1a293b7b99cb205002294a5ecbaf681691e244a462e00f7
                      • Instruction Fuzzy Hash: 8DD05B213192E05FC71721E92CA48BB1FAACAC251035555AFF044DB741DD648D0253B1
                      Function 61FACB50 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061FAC000.00000020.00000001.01000000.00000015.sdmp, Offset: 61FAC000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61fac000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d42a6e084b15a92aaf0b2c57dac4520b63358818f64976ceec02bc4fc31c3c25
                      • Instruction ID: 6ee6e484099728ce3057718277a1bbf0c933f9e8fd0caa337f947ec6c0c81a76
                      • Opcode Fuzzy Hash: d42a6e084b15a92aaf0b2c57dac4520b63358818f64976ceec02bc4fc31c3c25
                      • Instruction Fuzzy Hash: DFE04FB1E0022967DA00ABB5A81666E7BE89F45118F418079D80A9B240FA316D18C7D6
                      Function 63CC7B90 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063CC7000.00000020.00000001.01000000.00000015.sdmp, Offset: 63CC7000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63cc7000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e5a9e6fa960df714d8f46f22775b1e700153ca776dc9d824abb86a561630d1c2
                      • Instruction ID: a2c8c073d20354db4482328301b509f20310fead1533fe07379a8c8afe76874e
                      • Opcode Fuzzy Hash: e5a9e6fa960df714d8f46f22775b1e700153ca776dc9d824abb86a561630d1c2
                      • Instruction Fuzzy Hash: 74F030B4D0031D9FCB08DF58C4519AEBBB5FF09214B42459ED8165B351EB30E944CBD1
                      Function 61CBFA50 Relevance: .0, Instructions: 21COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061CBF000.00000020.00000001.01000000.00000015.sdmp, Offset: 61CBF000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61cbf000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b7291612d7abace6d1f895ec0ee72b0e1ac043de5626cc76e05c78110646b547
                      • Instruction ID: 384e13f116c55ff15eb3e4089c2ec3df21349aa0774b73a9ee41d75eb7b1151a
                      • Opcode Fuzzy Hash: b7291612d7abace6d1f895ec0ee72b0e1ac043de5626cc76e05c78110646b547
                      • Instruction Fuzzy Hash: D4D0A7E270417833D420564A3C45E3F75ACC7E3A79B00043EF609E7741D5A55C1543E9
                      Function 0688B6F8 Relevance: .0, Instructions: 21COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4724283896.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_6880000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 763fb6dc70fc471655c4ede2e565555a5be786e2c1b0d3562bfdb791b2353ae9
                      • Instruction ID: 41384c73e94f6b226bb987b2a9ae5f5f7f7ba4ce714f9d47169570b53d1faa23
                      • Opcode Fuzzy Hash: 763fb6dc70fc471655c4ede2e565555a5be786e2c1b0d3562bfdb791b2353ae9
                      • Instruction Fuzzy Hash: C4D017357502105BC748666EA818D2A3BE9DBCAA21B01006AF609CB3A1DE61DC0186A4
                      Function 63C4AB40 Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063C4A000.00000020.00000001.01000000.00000015.sdmp, Offset: 63C4A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63c4a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 15a5608176b36aae10df8ca44f2ff5549e7b325626994e6f64f8e6c877d2a802
                      • Instruction ID: d80222248ae038efc09da12a331a14937ebfc604b8d50f504ca40d4c8a3d7e35
                      • Opcode Fuzzy Hash: 15a5608176b36aae10df8ca44f2ff5549e7b325626994e6f64f8e6c877d2a802
                      • Instruction Fuzzy Hash: E2D05E3A3002186F86009A0AD884C6ABBADEBDE2703144426EA0687301C632BC029AF0
                      Function 059FE378 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0b1bfe031a4c6df2f722743317201dc78163715eaa78f0a7003bd7e349da5db5
                      • Instruction ID: eb85a8033fc814e1928c37602484aee0f2029791f917e59c3b6e5bdcf415242e
                      • Opcode Fuzzy Hash: 0b1bfe031a4c6df2f722743317201dc78163715eaa78f0a7003bd7e349da5db5
                      • Instruction Fuzzy Hash: 72C01222320268270A1931EE285187F26CECAC6961354446AE619DB344DCB09C0223E1
                      Function 6409436E Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000064094000.00000020.00000001.01000000.00000015.sdmp, Offset: 64094000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_64094000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e5a43d21c1e975b87af034721b8f3017f269078662c0b7dd56cd21983961796e
                      • Instruction ID: a7d075f3bcb830d0cefeeecc6a52f1c5e540f1998ad1a765620439288fa6b08d
                      • Opcode Fuzzy Hash: e5a43d21c1e975b87af034721b8f3017f269078662c0b7dd56cd21983961796e
                      • Instruction Fuzzy Hash: 15D05E3514862AF9DF000979FC0076977E80B01378710A221A978481F0DB20C6E2A189
                      Function 61D8AF00 Relevance: .0, Instructions: 12COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000061D8A000.00000020.00000001.01000000.00000015.sdmp, Offset: 61D8A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_61d8a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b77983f42352063c338c9f306ebc50001d031783cac1aa1506ccb5566080f16f
                      • Instruction ID: 8b5174c32604fd486615462c6d1d366bf9069d083afe6783b5ccb8085a2973dd
                      • Opcode Fuzzy Hash: b77983f42352063c338c9f306ebc50001d031783cac1aa1506ccb5566080f16f
                      • Instruction Fuzzy Hash: 31C0123250020C6BDF06DF949C01CA9375AEB8C694F448010F91C05151D67295709B52
                      Function 63C6A520 Relevance: .0, Instructions: 11COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4791869623.0000000063C6A000.00000020.00000001.01000000.00000015.sdmp, Offset: 63C6A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_63c6a000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c2df68f18194136095033dcfe47af83164b6859a4209793eae8b6a93d1d84c02
                      • Instruction ID: 55678e501adba674d7b6c33e2718af0281e9146e1e60d72793ac96a61f73f952
                      • Opcode Fuzzy Hash: c2df68f18194136095033dcfe47af83164b6859a4209793eae8b6a93d1d84c02
                      • Instruction Fuzzy Hash: D2C02BB141030C5FCF04EB4CFC46C56375CCE1050C7400000F80C8B203F921F52441B5
                      Function 059FEDD3 Relevance: .0, Instructions: 10COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.4700194767.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_59f0000_GamePall.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 58e9c83d91c48219c4261666125667a17f215fa884a762cbe31062e54221c8b8
                      • Instruction ID: 4afe2bd3080592a22dd18913f64289c2fccf2e254ebbd35c9847bc728f349751
                      • Opcode Fuzzy Hash: 58e9c83d91c48219c4261666125667a17f215fa884a762cbe31062e54221c8b8
                      • Instruction Fuzzy Hash: 8DC08C1290F3C14FCB668F788CA30187FF08A2674031C4CDB81C083693C820800E8346