Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe
Analysis ID:	1466524
MD5:	17cb739c8fd07235fd29fbaab85e7777
SHA1:	bb8b921acb8cce657068485c5d55f411318b7955
SHA256:	dd6f8daddb7da0e8b9be526fc3aa9c5f0808fe6926ca7a9648464f9b4f8140e1
Tags:	exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected LummaC Stealer

Yara detected Poverty Stealer

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe (PID: 5884 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe" MD5: 17CB739C8FD07235FD29FBAAB85E7777)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

53FF.exe (PID: 3176 cmdline: C:\Users\user\AppData\Local\Temp\53FF.exe MD5: BD2EAC64CBDED877608468D86786594A)

7719.exe (PID: 2300 cmdline: C:\Users\user\AppData\Local\Temp\7719.exe MD5: 60172CA946DE57C3529E9F05CC502870)

setup.exe (PID: 6348 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)

GamePall.exe (PID: 1252 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 2920 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3948 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 4840 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 612 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3384 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 1356 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 1620 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 2324 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3352 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 2684 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5816 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5308 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5740 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6572 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 4068 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 3060 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 2940 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 1496 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5508 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6668 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

GamePall.exe (PID: 5900 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

96C7.exe (PID: 5952 cmdline: C:\Users\user\AppData\Local\Temp\96C7.exe MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)

GamePall.exe (PID: 5716 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)

svgbeht (PID: 5988 cmdline: C:\Users\user\AppData\Roaming\svgbeht MD5: 17CB739C8FD07235FD29FBAAB85E7777)

svgbeht (PID: 6788 cmdline: C:\Users\user\AppData\Roaming\svgbeht MD5: 17CB739C8FD07235FD29FBAAB85E7777)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3a54:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x2efc:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000003.2516799082.000000000069C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000005.00000003.2516945580.000000000069C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3424:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: 53FF.exe PID: 3176	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 53FF.exe PID: 3176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 53FF.exe PID: 3176	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 96C7.exe PID: 5952	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.96C7.exe.36e0000.3.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
9.2.96C7.exe.dfff80.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
9.2.96C7.exe.da83c0.1.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
9.2.96C7.exe.36e0000.3.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
9.2.96C7.exe.dfff80.0.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
9.2.96C7.exe.da83c0.1.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 6348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\svgbeht, CommandLine: C:\Users\user\AppData\Roaming\svgbeht, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svgbeht, NewProcessName: C:\Users\user\AppData\Roaming\svgbeht, OriginalFileName: C:\Users\user\AppData\Roaming\svgbeht, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\svgbeht, ProcessId: 5988, ProcessName: svgbeht

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405

Found malware configuration

Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 9.2.96C7.exe.da83c0.1.raw.unpack	Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: 53FF.exe.3176.5.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\53FF.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\7719.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Roaming\svgbeht	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_036E1C94 CryptUnprotectData,CryptProtectData,

9_2_036E1C94

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3686415820.00000000007D2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1660

Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_004066FF FindFirstFileA,FindClose,	8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_004027AA FindFirstFileA,	8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EB24BD FindFirstFileExW,	9_2_00EB24BD
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	9_2_036E1000
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	9_2_036E4E27
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E1D3C FindFirstFileW,FindNextFileW,	9_2_036E1D3C
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E40BA FindFirstFileW,FindNextFileW,	9_2_036E40BA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E3EFC FindFirstFileW,FindNextFileW,	9_2_036E3EFC

Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.159.30.35 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyz
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor	URLs: 146.70.169.164:2227

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_00E45B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,

9_2_00E45B80

Source: GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 00000013.00000002.3814333984.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity8
Source: GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000002D07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000002D07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g4
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/1352358
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/275944
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/378067
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/437891.
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/456214
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/510270
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/642141
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/672186).
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/819404
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://crbug.com/957772
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: explorer.exe, 00000002.00000000.2113028471.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4j
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp, log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2>
Source: 7719.exe, 7719.exe, 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmp, 7719.exe, 00000008.00000000.2523574701.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3366645637.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000003.3686521042.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 7719.exe, 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmp, 7719.exe, 00000008.00000000.2523574701.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3366645637.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000003.3686521042.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000002.00000000.2115963975.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000002.00000000.2115543053.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2115565652.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2115142712.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.2118423388.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: log4net.xml.11.dr	String found in binary or memory: http://www.connectionstrings.com/
Source: log4net.xml.11.dr	String found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
Source: log4net.xml.11.dr	String found in binary or memory: http://www.iana.org/assignments/multicast-addresses
Source: GamePall.exe, 00000013.00000002.4085407935.0000000006BFF000.00000002.00000001.00040000.0000001A.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 7719.exe, 00000008.00000002.3876675879.000000000085E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: 7719.exe, 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2118031324.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2114531614.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2115963975.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2114531614.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2113719983.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/1
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/declarativeNetRequestWithHostAccessds=2-1719957786566967id5app.win
Source: GamePall.exe, 00000013.00000002.4546897572.000000003C25C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: GamePall.exe, 00000013.00000002.4546897572.000000003C25C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxle
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://crbug.com/1201800
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464028346.0000000000672000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/
Source: 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/-%
Source: 53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/D
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/O
Source: 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453884126.0000000000691000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api
Source: 53FF.exe, 00000005.00000002.2574430878.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573425240.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apiP
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apif
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apit
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/g
Source: 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/h
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/m
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/op
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/pi
Source: 53FF.exe, 00000005.00000003.2540650954.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516350013.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2529482964.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/q
Source: 53FF.exe, 00000005.00000003.2516350013.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2498697771.0000000000719000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2498890451.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/qD
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/s
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/sN
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/t
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.protekt2day.com/go/1c68c94b-6319-4e81-a7cf-3041c0161b9b?cost=0.180000
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.protekt2day.com/go/1c68c94b-6319-4e81-a7cf-3041c0161b9b?cost=0.180000&visitor_id=83180631
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.com
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000002.00000000.2118031324.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GamePall.exe, 00000016.00000002.3844470978.0000000004ED6000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000002.00000000.2115963975.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2115963975.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\7719.exe

Code function: 8_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

8_2_004055E7

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_036E4BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,

9_2_036E4BA2

Source: GamePall.exe

Process created: 52

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401538
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	0_2_00402FE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401496
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401543
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401565
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401579
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040157C
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401538
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	4_2_00402FE9
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014DE
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401496
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401543
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401565
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401579
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040157C
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,	8_2_100010D0
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_00401538
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	10_2_00402FE9
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_004014DE
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_00401496
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_00401543
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_00401565
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_00401579
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_0040157C

Source: C:\Users\user\AppData\Local\Temp\7719.exe

Code function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

8_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_00406A88	8_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EA1490	9_2_00EA1490
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EAD515	9_2_00EAD515
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EB4775	9_2_00EB4775
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EABE09	9_2_00EABE09

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: String function: 00EA0310 appears 51 times

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svgbeht.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: GamePall.exe.11.dr, Program.cs

Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@299/115@0/8

Source: C:\Users\user\AppData\Local\Temp\7719.exe

8_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\7719.exe

Code function: 8_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

8_2_00404897

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Code function: 0_2_0298F452 CreateToolhelp32Snapshot,Module32First,

0_2_0298F452

Source: C:\Users\user\AppData\Local\Temp\7719.exe

Code function: 8_2_00402173 CoCreateInstance,MultiByteToWideChar,

8_2_00402173

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\svgbeht

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\53FF.tmp

Jump to behavior

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: 53FF.exe, 00000005.00000003.2465105201.0000000003656000.00000004.00000800.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2465369909.0000000003638000.00000004.00000800.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2475350447.0000000003658000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svgbeht C:\Users\user\AppData\Roaming\svgbeht
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\53FF.exe C:\Users\user\AppData\Local\Temp\53FF.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7719.exe C:\Users\user\AppData\Local\Temp\7719.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\96C7.exe C:\Users\user\AppData\Local\Temp\96C7.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svgbeht C:\Users\user\AppData\Roaming\svgbeht
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\53FF.exe C:\Users\user\AppData\Local\Temp\53FF.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7719.exe C:\Users\user\AppData\Local\Temp\7719.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\96C7.exe C:\Users\user\AppData\Local\Temp\96C7.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3686415820.00000000007D2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Unpacked PE file: 0.2.SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\svgbeht	Unpacked PE file: 4.2.svgbeht.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\svgbeht	Unpacked PE file: 10.2.svgbeht.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: Newtonsoft.Json.dll.11.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Source: C:\Users\user\AppData\Local\Temp\7719.exe

Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

8_2_100010D0

Source: initial sample

Static PE information: section where entry point is pointing to: .vmpLp

Source: 53FF.exe.2.dr	Static PE information: section name: .vmpLp
Source: 53FF.exe.2.dr	Static PE information: section name: .vmpLp
Source: 53FF.exe.2.dr	Static PE information: section name: .vmpLp
Source: libEGL.dll.11.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.11.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.11.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.11.dr	Static PE information: section name: .voltbl
Source: chrome_elf.dll.11.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.11.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.11.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.11.dr	Static PE information: section name: malloc_h
Source: libEGL.dll0.11.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.11.dr	Static PE information: section name: .00cfg
Source: libcef.dll.11.dr	Static PE information: section name: .00cfg
Source: libcef.dll.11.dr	Static PE information: section name: .rodata
Source: libcef.dll.11.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.11.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00401CD1 push ecx; ret	0_2_00401CD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00401C91 push 00000076h; iretd	0_2_00401C93
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_00402E96 push B92A2F4Ch; retf	0_2_00402E9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_02962EFD push B92A2F4Ch; retf	0_2_02962F02
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_02961CF8 push 00000076h; iretd	0_2_02961CFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_02961D38 push ecx; ret	0_2_02961D39
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_02996F22 push FFFFFFFBh; iretd	0_2_02996F38
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_02994EA4 push edx; ret	0_2_02994EA5
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00401CD1 push ecx; ret	4_2_00401CD2
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00401C91 push 00000076h; iretd	4_2_00401C93
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_00402E96 push B92A2F4Ch; retf	4_2_00402E9B
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_027D1D38 push ecx; ret	4_2_027D1D39
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_027D2EFD push B92A2F4Ch; retf	4_2_027D2F02
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_027D1CF8 push 00000076h; iretd	4_2_027D1CFA
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_02826552 push FFFFFFFBh; iretd	4_2_02826568
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_028244D4 push edx; ret	4_2_028244D5
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EA004B push ecx; ret	9_2_00EA005E
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00401CD1 push ecx; ret	10_2_00401CD2
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00401C91 push 00000076h; iretd	10_2_00401C93
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_00402E96 push B92A2F4Ch; retf	10_2_00402E9B
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_02791D38 push ecx; ret	10_2_02791D39
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_02791CF8 push 00000076h; iretd	10_2_02791CFA
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_02792EFD push B92A2F4Ch; retf	10_2_02792F02
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_027B99FA push FFFFFFFBh; iretd	10_2_027B9A10
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_027B797C push edx; ret	10_2_027B797D
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_027BC7B8 push 28027BC8h; retf	10_2_027BC7BD

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Static PE information: section name: .text entropy: 7.5001533145273696
Source: svgbeht.2.dr	Static PE information: section name: .text entropy: 7.5001533145273696
Source: Ionic.Zip.dll.11.dr	Static PE information: section name: .text entropy: 6.821349263259562

Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7719.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	File created: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\svgbeht	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\53FF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	File created: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	File created: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\96C7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsn3C59.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\svgbeht

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\securiteinfo.com.w32.trojan.fwf.gen.eldorado.2850.19434.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\svgbeht:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_9-145375

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\53FF.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\svgbeht	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\svgbeht	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	API/Special instruction interceptor: Address: 10476F5
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	API/Special instruction interceptor: Address: 1255B80
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	API/Special instruction interceptor: Address: 15020B2
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	API/Special instruction interceptor: Address: 1527E15
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	API/Special instruction interceptor: Address: 11A91D7
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	API/Special instruction interceptor: Address: 15A4DE8

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe, svgbeht	Binary or memory string: ASWHOOK
Source: svgbeht, 0000000A.00000002.2975436288.00000000027A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK<

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 24A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 25D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 45D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 16F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 16F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 26E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: CA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 8F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 10E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1520000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 31C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 51C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2860000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 17F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 52A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 910000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 22B0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 433	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4706	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1037	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn3C59.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file

Source: C:\Windows\explorer.exe TID: 5908	Thread sleep time: -470600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6604	Thread sleep time: -103700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4788	Thread sleep time: -32500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6848	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe TID: 6008	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6100	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 2132	Thread sleep count: 33 > 30

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_004066FF FindFirstFileA,FindClose,	8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\7719.exe	Code function: 8_2_004027AA FindFirstFileA,	8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EB24BD FindFirstFileExW,	9_2_00EB24BD
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	9_2_036E1000
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	9_2_036E4E27
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E1D3C FindFirstFileW,FindNextFileW,	9_2_036E1D3C
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E40BA FindFirstFileW,FindNextFileW,	9_2_036E40BA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_036E3EFC FindFirstFileW,FindNextFileW,	9_2_036E3EFC

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_036E2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

9_2_036E2054

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior

Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2113028471.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: 53FF.exe, 00000005.00000003.2475592601.000000000367E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2530387995.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453884126.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574430878.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573425240.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574211817.000000000064E000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000002.3876439042.0000000000838000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000003.3872830202.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000003.3873000462.0000000000837000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 7719.exe, 00000008.00000003.3872463864.0000000000856000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000003.3872830202.000000000085B000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000002.3876675879.000000000085E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUe~
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2114531614.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: 53FF.exe, 00000005.00000003.2475592601.000000000367E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2114531614.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2114531614.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: GamePall.exe, 0000000C.00000002.3966691310.0000000000E92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2113028471.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\AppData\Local\Temp\7719.exe

API call chain: ExitProcess graph end node

graph_8-3465

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_00EA4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_00EA4383

Source: C:\Users\user\AppData\Local\Temp\7719.exe

8_2_100010D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_02960D90 mov eax, dword ptr fs:[00000030h]	0_2_02960D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_0296092B mov eax, dword ptr fs:[00000030h]	0_2_0296092B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Code function: 0_2_0298ED2F push dword ptr fs:[00000030h]	0_2_0298ED2F
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_027D092B mov eax, dword ptr fs:[00000030h]	4_2_027D092B
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_027D0D90 mov eax, dword ptr fs:[00000030h]	4_2_027D0D90
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 4_2_0281E35F push dword ptr fs:[00000030h]	4_2_0281E35F
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_0279092B mov eax, dword ptr fs:[00000030h]	10_2_0279092B
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_02790D90 mov eax, dword ptr fs:[00000030h]	10_2_02790D90
Source: C:\Users\user\AppData\Roaming\svgbeht	Code function: 10_2_027B1807 push dword ptr fs:[00000030h]	10_2_027B1807

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_00EB5891 GetProcessHeap,

9_2_00EB5891

Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EA4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00EA4383
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EA0495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00EA0495
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EA06F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00EA06F0
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: 9_2_00EA0622 SetUnhandledExceptionFilter,	9_2_00EA0622

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 7719.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.159.30.35 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Thread created: C:\Windows\explorer.exe EIP: 33419D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Thread created: unknown EIP: 83819D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Thread created: unknown EIP: 33719D0	Jump to behavior

LummaC encrypted strings found

Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: towerxxuytwi.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: swellfrrgwwos.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: contintnetksows.shop
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: potterryisiw.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1

Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2114396314.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2113028471.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_00EA013C cpuid

9_2_00EA013C

Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_00EB50DC
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: GetLocaleInfoW,	9_2_00EAE096
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: EnumSystemLocalesW,	9_2_00EB5051
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: GetLocaleInfoW,	9_2_00EB532F
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00EB5458
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: GetLocaleInfoW,	9_2_00EB555E
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00EB5634
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: EnumSystemLocalesW,	9_2_00EADBC7
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	9_2_00EB4CBF
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: EnumSystemLocalesW,	9_2_00EB4FB6
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	Code function: EnumSystemLocalesW,	9_2_00EB4F6B

Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\96C7.exe

Code function: 9_2_00EA038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_00EA038F

Source: C:\Users\user\AppData\Local\Temp\7719.exe

8_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\53FF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 53FF.exe, 00000005.00000003.2529482964.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2529686920.0000000000678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 53FF.exe, 00000005.00000003.2529624782.000000000363A000.00000004.00000800.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2533808667.000000000363B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ws Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\53FF.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 53FF.exe PID: 3176, type: MEMORYSTR

Yara detected Poverty Stealer

Source: Yara match	File source: 9.2.96C7.exe.36e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.dfff80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.da83c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.36e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.dfff80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.da83c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 96C7.exe PID: 5952, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3mp2
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets=
Source: 53FF.exe, 00000005.00000003.2516578900.000000000068D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1660

Source: Yara match	File source: 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2516799082.000000000069C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2516945580.000000000069C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 53FF.exe PID: 3176, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 53FF.exe PID: 3176, type: MEMORYSTR

Yara detected Poverty Stealer

Source: Yara match	File source: 9.2.96C7.exe.36e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.dfff80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.da83c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.36e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.dfff80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.96C7.exe.da83c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 96C7.exe PID: 5952, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	1 Access Token Manipulation	111 Deobfuscate/Decode Files or Information	LSASS Memory	23 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	1 Windows Service	31 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	Login Hook	312 Process Injection	12 Software Packing	NTDS	651 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	241 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	42%	ReversingLabs	Win32.Rootkit.BootkitX
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	100%	Avira	HEUR/AGEN.1318160
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\setup.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Temp\53FF.exe	100%	Avira	HEUR/AGEN.1313486
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	100%	Avira	HEUR/AGEN.1352426
C:\Users\user\AppData\Local\Temp\7719.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Temp\53FF.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GamePall\Del.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\96C7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat	3%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\53FF.exe	50%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\7719.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\96C7.exe	16%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn3C59.tmp\liteFirewall.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsz7739.tmp\blowfish.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsz7739.tmp\nsProcess.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\setup.exe	3%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\GamePall\Del.exe	7%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libcef.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\log4net.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\svgbeht	42%	ReversingLabs	Win32.Rootkit.BootkitX

Name	Malicious	Antivirus Detection	Reputation
http://gebeus.ru/tmp/index.php	true
http://cx5519.com/tmp/index.php	true
contintnetksows.shop	true
http://evilos.cc/tmp/index.php	true
ellaboratepwsz.xyz	true
swellfrrgwwos.xyz	true
foodypannyjsud.shop	true
pedestriankodwu.xyz	true
towerxxuytwi.xyz	true

URLs from Memory and Binaries

Name	Source	Malicious
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/chrome_newtab	53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/q	53FF.exe, 00000005.00000003.2540650954.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516350013.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2529482964.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/s	53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/t	53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	false
https://support.google.com/chrome/answer/6098869	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false
https://www.google.com/chrome/privacy/eula_text.html	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	false
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp, log4net.xml.11.dr	false
https://excel.office.com	explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/-%	53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	false
http://crbug.com/510270	GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
https://foodypannyjsud.shop/g	53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/h	53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	false
https://go.protekt2day.com/go/1c68c94b-6319-4e81-a7cf-3041c0161b9b?cost=0.180000&visitor_id=83180631	GamePall.exe, 0000000C.00000002.4120205235.0000000003005000.00000004.00000800.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=urCtrl$2	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/m	53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/O	53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp	false
http://crbug.com/378067	GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
https://photos.google.com/settings?referrer=CHROME_NTP	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false
https://passwords.google.com	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://go.protekt2day.com/go/1c68c94b-6319-4e81-a7cf-3041c0161b9b?cost=0.180000	GamePall.exe, 0000000C.00000002.4120205235.0000000003005000.00000004.00000800.00020000.00000000.sdmp	false
https://aui-cdn.atlassian.com/	96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	false
http://www.iana.org/assignments/multicast-addresses	log4net.xml.11.dr	false
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000000.2118031324.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false
http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd	7719.exe, 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmp	false
https://foodypannyjsud.shop/D	53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	GamePall.exe, 0000000C.00000002.4120205235.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	false
http://bageyou.xyz	GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp	false
http://crbug.com/642141	GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://bitbucket.org/	96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.2118423388.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	false
http://www.connectionstrings.com/	log4net.xml.11.dr	false
https://chromewebstore.google.com/declarativeNetRequestWithHostAccessds=2-1719957786566967id5app.win	GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp	false
https://support.google.com/chromebook?p=app_intent	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false
http://crbug.com/957772	GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
https://chrome.google.com/webstore	GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/apit	53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.rootca1.amazontrust.com/rootca1.crl0	53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	false
http://ocsp.rootca1.amazontrust.com0:	53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp	false
http://nsis.sf.net/NSIS_ErrorError	7719.exe, 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmp, 7719.exe, 00000008.00000000.2523574701.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3366645637.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000003.3686521042.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/chrome/privacy/eula_text.html&	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
http://logging.apache.org/log4j	log4net.xml.11.dr	false
https://www.google.com/chrome/privacy/eula_text.htmlT&r	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/apif	53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	false
http://xiexie.wf/22_551/huge.dat	7719.exe, 00000008.00000002.3876675879.000000000085E000.00000004.00000020.00020000.00000000.sdmp	false
http://crbug.com/819404	GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
https://outlook.com	explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp	false
https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee	96C7.exe, 00000009.00000002.3435692996.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false
http://nsis.sf.net/NSIS_Error	7719.exe, 7719.exe, 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmp, 7719.exe, 00000008.00000000.2523574701.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3366645637.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000003.3686521042.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/apiP	53FF.exe, 00000005.00000002.2574430878.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573425240.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=ukCtrl$1	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2114531614.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false
http://api.install-stat.debug.world/clients/installs	GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp	false
https://cdn.cookielaw.org/	96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	false
https://www.newtonsoft.com/jsonschema	Newtonsoft.Json.dll.11.dr	false
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	false
https://chromewebstore.google.com/	GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
https://support.google.com/chrome/a/answer/9122284	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=zh-CNCtrl$1	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	GamePall.exe, 00000016.00000002.3844470978.0000000004ED6000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp	false
https://word.office.comon	explorer.exe, 00000002.00000000.2115963975.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false
http://www.unicode.org/copyright.html	GamePall.exe, 00000013.00000002.4085407935.0000000006BFF000.00000002.00000001.00040000.0000001A.sdmp	false
https://powerpoint.office.comcember	explorer.exe, 00000002.00000000.2118031324.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://www.newtonsoft.com/json	Newtonsoft.Json.dll.11.dr	false
http://crbug.com/1352358	GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp	false
http://bageyou.xyz/c/g	GamePall.exe, 0000000C.00000002.4120205235.0000000002D07000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.micro	explorer.exe, 00000002.00000000.2115543053.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2115565652.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2115142712.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false
https://crbug.com/1201800	GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp	false
http://api.install-stat.debug.world/clients/activity	GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp	false
https://chrome.google.com/webstore?hl=zh-TWCtrl$1	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp	false
https://foodypannyjsud.shop/op	53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	false
http://www.apache.org/).	GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp	false
https://foodypannyjsud.shop/api	53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453884126.0000000000691000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp	false
https://myactivity.google.com/	setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
190.159.30.35	unknown	Colombia	10620	TelmexColombiaSACO	true
104.192.141.1	unknown	United States	16509	AMAZON-02US	false
141.8.192.126	unknown	Russian Federation	35278	SPRINTHOSTRU	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	true
104.21.45.251	unknown	United States	13335	CLOUDFLARENETUS	false
185.68.16.7	unknown	Ukraine	200000	UKRAINE-ASUA	true
146.70.169.164	unknown	United Kingdom	2018	TENET-1ZA	true

Private

IP
127.0.0.127

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466524
Start date and time:	2024-07-03 01:38:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 17m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@299/115@0/8
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 58% Number of executed functions: 138 Number of non-executed functions: 87
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Execution Graph export aborted for target 53FF.exe, PID 3176 because there are no executed function
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Simulations

Behavior and APIs

Time	Type	Description
01:39:21	Task Scheduler	Run new task: Firefox Default Browser Agent 38B6DCB5005534F0 path: C:\Users\user\AppData\Roaming\svgbeht
01:41:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
01:41:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
19:39:04	API Interceptor	110268x Sleep call for process: explorer.exe modified
19:39:37	API Interceptor	9x Sleep call for process: 53FF.exe modified
19:41:46	API Interceptor	1x Sleep call for process: GamePall.exe modified

Process:	C:\Users\user\AppData\Local\Temp\7719.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107232830
Entropy (8bit):	7.999946456161068
Encrypted:	true
SSDEEP:	1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
MD5:	FF2293FBFF53F4BD2BFF91780FABFD60
SHA1:	61A9EDCF46228DC907AD523AA6FD035CC26C9209
SHA-256:	B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
SHA-512:	C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\53FF.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6642176
Entropy (8bit):	7.866419732571782
Encrypted:	false
SSDEEP:	98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
MD5:	BD2EAC64CBDED877608468D86786594A
SHA1:	778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
SHA-256:	CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
SHA-512:	3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7719.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	293869
Entropy (8bit):	5.61569579822855
Encrypted:	false
SSDEEP:	3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
MD5:	60172CA946DE57C3529E9F05CC502870
SHA1:	DE8F59D6973A5811BB10A9A4410801FA63BC8B56
SHA-256:	42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
SHA-512:	15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\96C7.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	578048
Entropy (8bit):	6.297510031778876
Encrypted:	false
SSDEEP:	12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
MD5:	DA4B6F39FC024D2383D4BFE7F67F1EE1
SHA1:	7CC975D9FF785E269163897907D0B9B3CEE29956
SHA-256:	544697A024ABAEA1B24EAA3D89869B2C8A4C1ACF96D4E152F5632D338D054C9E
SHA-512:	D73CC4D911D9E61711B97CB9212D5BC93CB1B1314A39945934EB92239A31728FCCA7FEFBEC0143BAD915B0A7A6B93DF11D0AB7F559737AA7EC920BD24243FFFE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I..I..I...1..I...1...I...1..I..l...I..l...I..l....I...1..I..I...I..]...I..]...I..Rich.I..................PE..L...w;.f...............'.....\....................@.......................................@.....................................(................................2..Xh..p....................i.......g..@...............@............................text....~.......................... ..`.rdata..4...........................@..@.data...............................@....reloc...2.......4..................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsaC2D3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	358363995
Entropy (8bit):	6.972150585647623
Encrypted:	false
SSDEEP:	3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
MD5:	5F9D89B40243E83C0B48206CE4EB77D1
SHA1:	477A019AB11E5793168B3E41D83B80A8AC8F1D43
SHA-256:	2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
SHA-512:	5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
Malicious:	false
Reputation:	unknown
Preview:	........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn3C59.tmp\liteFirewall.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.389604568119155
Encrypted:	false
SSDEEP:	1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
MD5:	165E1EF5C79475E8C33D19A870E672D4
SHA1:	965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
SHA-256:	9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
SHA-512:	CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsu7719.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\7719.exe
File Type:	data
Category:	dropped
Size (bytes):	60466
Entropy (8bit):	5.603640719549413
Encrypted:	false
SSDEEP:	1536:akqg31kqY3Q4Oc//////Q0LatojW/lX1Xb41:3qg323Sc//////Q3tojW/XXy
MD5:	DE806154A80E3916669C466B6D001BD6
SHA1:	B85BD0EC436125772A9C5403162628B7AAB35F49
SHA-256:	10D9B7F2238EFFEB71990F979B9DFE4F3BE3D212B05232EF34C39F9578CC11E3
SHA-512:	63CC5D6865C89AE2C41EEE3C76FD865D9461E96DBC570270982EB6DB5A15FB234098286CEE3FF9DB2255FEDA5207A222AB67743475AD60CCFD89A86B881BCB94
Malicious:	false
Reputation:	unknown
Preview:	",......,..................."...\|%......H+......",..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7719.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.668346578219837
Encrypted:	false
SSDEEP:	384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
MD5:	92EC4DD8C0DDD8C4305AE1684AB65FB0
SHA1:	D850013D582A62E502942F0DD282CC0C29C4310E
SHA-256:	5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
SHA-512:	581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz7739.tmp\blowfish.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7719.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	6.674611218414922
Encrypted:	false
SSDEEP:	384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
MD5:	5AFD4A9B7E69E7C6E312B2CE4040394A
SHA1:	FBD07ADB3F02F866DC3A327A86B0F319D4A94502
SHA-256:	053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
SHA-512:	F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....\|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz7739.tmp\nsProcess.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\7719.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.666004851298707
Encrypted:	false
SSDEEP:	48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
MD5:	FAA7F034B38E729A983965C04CC70FC1
SHA1:	DF8BDA55B498976EA47D25D8A77539B049DAB55E
SHA-256:	579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
SHA-512:	7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n\|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..\|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\7719.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107232830
Entropy (8bit):	7.999946456161068
Encrypted:	true
SSDEEP:	1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
MD5:	FF2293FBFF53F4BD2BFF91780FABFD60
SHA1:	61A9EDCF46228DC907AD523AA6FD035CC26C9209
SHA-256:	B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
SHA-512:	C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Reputation:	unknown
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	modified
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlTHfq:Ls3
MD5:	F240616299C0F6B49A59E3AB3FE32B51
SHA1:	F03DAC16E0053031A5A9A4DDF0FC3CBB98BACC94
SHA-256:	4B4121DAC39A6CF404EAF5270E1EB20698E3F683B1BE911830288FF33EA92A9D
SHA-512:	62837C3A7BC44F4A2BFC177778034135012DA0658EC0EF1D52893DE2314A3B1F16C513C79ED2001AE5712A39A3444C6ED5375C61885753FB4E2680E84A350589
Malicious:	false
Reputation:	unknown
Preview:	........................................C....z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\Del.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.622398838808078
Encrypted:	false
SSDEEP:	96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
MD5:	97D4D47D539CB8171BE2AEFD64C6EBB1
SHA1:	44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
SHA-256:	8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
SHA-512:	7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....(........0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#......0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Reputation:	unknown
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl1tf+t:Ls3Hf+
MD5:	34F78A585249BC4BEF7737914D547444
SHA1:	1E03CBEA571FAAB74EB54967640EF35092D283D5
SHA-256:	DBCA6EA481C86A8D2E9495E32640D1513FB94D4A1DB398D762EFC529F9C54325
SHA-512:	04DCAF3931C93EC02606081E64659CED9096F5DE531BECBA85881B3FFD4C63310905B65904F32D7FB2A3AAA6AB862FB024442464CA61D5ECFFBA2BB2EB0FD4CC
Malicious:	false
Reputation:	unknown
Preview:	.............................................z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	296448
Entropy (8bit):	5.660420770467009
Encrypted:	false
SSDEEP:	3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
MD5:	7A3502C1119795D35569535DE243B6FE
SHA1:	DA0D16BC66614C7D273C47F321C5EE0652FB5575
SHA-256:	B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
SHA-512:	258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....Z..(....,...(....(.....(......(......(............~........0..W.......(....".....(......,..o....-...o.....+...( .....o....&..(!...-...........o"....."...BZ.......%..A.......0..Q.......(....(........,..o....-...o.....+...( .....o....&.._...(!...-...........o"..............!. A.......0..V.......(....(......,..o....-.~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	462336
Entropy (8bit):	6.803831500359682
Encrypted:	false
SSDEEP:	6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
MD5:	6DED8FCBF5F1D9E422B327CA51625E24
SHA1:	8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
SHA-256:	3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
SHA-512:	BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(.......0..2........r...p(....}.......}"....(........(.........(......r...p(....}.......}"....(........(......0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...rr!..p.{.....{.....B...(....*..0..A........{..

C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574376
Entropy (8bit):	5.8881470355864725
Encrypted:	false
SSDEEP:	12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
MD5:	8F81C9520104B730C25D90A9DD511148
SHA1:	7CF46CB81C3B51965C1F78762840EB5797594778
SHA-256:	F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
SHA-512:	B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D.....{F.......-.....0...........-.r...ps....z.o......-.~.....~....X...+....b..

C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561424
Entropy (8bit):	4.606896607960262
Encrypted:	false
SSDEEP:	6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
MD5:	928ED37DB61C1E98A2831C8C01F6157C
SHA1:	98103C2133EBDA28BE78BFE3E2D81D41924A23EE
SHA-256:	39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
SHA-512:	F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	215862
Entropy (8bit):	5.849338245796311
Encrypted:	false
SSDEEP:	3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
MD5:	9D21A25AA1B5985A2C8CBCE7F7007295
SHA1:	86EBF56352B4DBB831FAE0CCA180B4ADD951240D
SHA-256:	E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
SHA-512:	EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.621956468920589
Encrypted:	false
SSDEEP:	12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
MD5:	B03C7F6072A0CB1A1D6A92EE7B82705A
SHA1:	6675839C5E266075E7E1812AD8E856A2468274DD
SHA-256:	F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
SHA-512:	19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(......(......(....^.(.......=...%...}....:.(......}....:.(......}....^.(.......>...%...}....:.(......}.....(.............0..,.......(....o.......3......... ....3.(....-.....0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..("..............+1...........4.......~.....~......(.....~....,..(#...-.(....-..(....+.r...ps$...z(..........b.r...p(%...~.....(....&*.r

C:\Users\user\AppData\Roaming\GamePall\cef.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1946739
Entropy (8bit):	7.989700491058983
Encrypted:	false
SSDEEP:	49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
MD5:	96AD47D78A70B33158961585D9154ECC
SHA1:	149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
SHA-256:	C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
SHA-512:	6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
Malicious:	false
Reputation:	unknown
Preview:	........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)\|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....)..........F....]....3....v........v...................$... ....!8..."....#....$....%*..

C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	214119
Entropy (8bit):	7.955451054538398
Encrypted:	false
SSDEEP:	6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
MD5:	391F512173ECEC14EB5CE31299858DE1
SHA1:	3A5A41A190C1FB682F9D9C84F500FF50308617FC
SHA-256:	E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
SHA-512:	44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
Malicious:	false
Reputation:	unknown
Preview:	........................#.b...&.....:.g....7.....7.....7.....7\|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.\|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U\|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	290001
Entropy (8bit):	7.9670215100557735
Encrypted:	false
SSDEEP:	6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
MD5:	BF59A047984EAFC79E40B0011ED4116D
SHA1:	DF747125F31F3FF7E3DFE5849F701C3483B32C5E
SHA-256:	CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
SHA-512:	85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
Malicious:	false
Reputation:	unknown
Preview:	........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.\|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF\|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N....N.+...Nv,...N.-...N;r...N.\|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1305142
Entropy (8bit):	7.99463351416358
Encrypted:	true
SSDEEP:	24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
MD5:	20DDA02AF522924E45223D7262D0E1ED
SHA1:	378E88033A7083AAC24E6CD2144F7BC706F00837
SHA-256:	8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
SHA-512:	E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
Malicious:	false
Reputation:	unknown
Preview:	........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..\|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	87182312
Entropy (8bit):	5.477474753748716
Encrypted:	false
SSDEEP:	196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
MD5:	FFD456A85E341D430AFA0C07C1068538
SHA1:	59394310B45F7B2B2882D55ADD9310C692C7144F
SHA-256:	F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
SHA-512:	EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
Malicious:	false
Reputation:	unknown
Preview:	!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	656926
Entropy (8bit):	7.964275415195004
Encrypted:	false
SSDEEP:	12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
MD5:	3404DD2B0E63D9418F755430336C7164
SHA1:	0D7D8540FDC056BB741D9BAF2DC7A931C517C471
SHA-256:	0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
SHA-512:	685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
Malicious:	false
Reputation:	unknown
Preview:	..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.\|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<\|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1017158
Entropy (8bit):	7.951759131641406
Encrypted:	false
SSDEEP:	24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
MD5:	3FBF52922588A52245DC927BCC36DBB3
SHA1:	EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
SHA-256:	C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
SHA-512:	682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
Malicious:	false
Reputation:	unknown
Preview:	..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@\|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1174528
Entropy (8bit):	6.475826085865088
Encrypted:	false
SSDEEP:	24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
MD5:	207AC4BE98A6A5A72BE027E0A9904462
SHA1:	D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
SHA-256:	2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
SHA-512:	BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2106216
Entropy (8bit):	6.4563314852745375
Encrypted:	false
SSDEEP:	49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
MD5:	1C9B45E87528B8BB8CFA884EA0099A85
SHA1:	98BE17E1D324790A5B206E1EA1CC4E64FBE21240
SHA-256:	2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
SHA-512:	B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4127200
Entropy (8bit):	6.577665867424953
Encrypted:	false
SSDEEP:	49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
MD5:	3B4647BCB9FEB591C2C05D1A606ED988
SHA1:	B42C59F96FB069FD49009DFD94550A7764E6C97C
SHA-256:	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
SHA-512:	00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2205743
Entropy (8bit):	7.923318114432295
Encrypted:	false
SSDEEP:	49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
MD5:	54D4E14BFF05C268248CAB2EEDFB61DD
SHA1:	33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
SHA-256:	2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
SHA-512:	5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
Malicious:	false
Reputation:	unknown
Preview:	........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[....[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\...>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Reputation:	unknown
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	377856
Entropy (8bit):	6.602916265542373
Encrypted:	false
SSDEEP:	6144:oJ4tr7XVkL/2qBCOeRMIKVpqtXmzKwdo23zqyU73omBT095OiZH:2NfBCOeR/KVpqtio23zqyOsOo
MD5:	8BC03B20348D4FEBE6AEDAA32AFBBF47
SHA1:	B1843C83808D9C8FBA32181CD3A033C66648C685
SHA-256:	CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
SHA-512:	3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............\|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6635008
Entropy (8bit):	6.832077162910607
Encrypted:	false
SSDEEP:	196608:HrmMLEFtac5bM68f8Oi3WjH13GzSW3430aTwQCe:a+ktad68f8Oi3oH13GztokaTwbe
MD5:	63988D35D7AB96823B5403BE3C110F7F
SHA1:	8CC4D3F4D2F1A2285535706961A26D02595AF55C
SHA-256:	E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
SHA-512:	D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libcef.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176517632
Entropy (8bit):	7.025874989859836
Encrypted:	false
SSDEEP:	1572864:VSuR7JVHywK/Sf1rWID4Pu2v8zgguHWJEqM90Hw4DclJkBLrWXmfnehuWNIPKtlL:MCYRNIPKYTFBhfmOS9KBaVz
MD5:	F5259CC7721CA2BCC8AC97B76B1D3C7A
SHA1:	C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
SHA-256:	3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
SHA-512:	2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.\|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..\|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libcef.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	40258
Entropy (8bit):	4.547436244061504
Encrypted:	false
SSDEEP:
MD5:	310744A0E10BD9C2C6F50C525E4447F9
SHA1:	9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
SHA-256:	E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
SHA-512:	6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
Malicious:	false
Reputation:	unknown
Preview:	!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N\|..N\|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h..h..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	470498
Entropy (8bit):	5.409080468053459
Encrypted:	false
SSDEEP:
MD5:	64F46DC20A140F2FA3D4677E7CD85DD1
SHA1:	5A4102E3E34C1360F833507A48E61DFD31707377
SHA-256:	BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
SHA-512:	F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
Malicious:	false
Reputation:	unknown
Preview:	........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.\|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	763010
Entropy (8bit):	4.909167677028143
Encrypted:	false
SSDEEP:
MD5:	3B0D0F3EC195A0796A6E2FAB0C282BFB
SHA1:	6FCFCD102DE06A0095584A0186BD307AA49E49BD
SHA-256:	F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
SHA-512:	CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
Malicious:	false
Reputation:	unknown
Preview:	........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...\|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....\|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....\|...........$.............................1.....}.........................................Z.................\|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2....................+....",.....,

C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	838413
Entropy (8bit):	4.920788245468804
Encrypted:	false
SSDEEP:
MD5:	C70B71B05A8CA5B8243C951B96D67453
SHA1:	DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
SHA-256:	5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
SHA-512:	E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.\|...w.....y.....z.....\|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).........z..............t+.....,....{,.....,....--

C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	869469
Entropy (8bit):	4.677916300869337
Encrypted:	false
SSDEEP:
MD5:	12A9400F521EC1D3975257B2061F5790
SHA1:	100EA691E0C53B240C72EAEC15C84A686E808067
SHA-256:	B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
SHA-512:	31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
Malicious:	false
Reputation:	unknown
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1118348
Entropy (8bit):	4.2989199535081895
Encrypted:	false
SSDEEP:
MD5:	89A24AF99D5592AB8964B701F13E1706
SHA1:	2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
SHA-256:	5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
SHA-512:	60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
Malicious:	false
Reputation:	unknown
Preview:	........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).........6.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537139
Entropy (8bit):	5.397688491907634
Encrypted:	false
SSDEEP:
MD5:	37B54705BD9620E69E7E9305CDFAC7AB
SHA1:	D9059289D5A4CAB287F1F877470605ED6BBDA2C8
SHA-256:	98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
SHA-512:	42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
Malicious:	false
Reputation:	unknown
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....\|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................\|...........".....>.

C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	545011
Entropy (8bit):	5.844949195905198
Encrypted:	false
SSDEEP:
MD5:	65A2C2A73232AB1073E44E0FB6310A5F
SHA1:	F3158AA527538819C93F57E2C778198A94416C98
SHA-256:	E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
SHA-512:	20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................\|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	496165
Entropy (8bit):	5.446061543230436
Encrypted:	false
SSDEEP:
MD5:	A44EC6AAA456A6129FD820CA75E968BE
SHA1:	9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
SHA-256:	F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
SHA-512:	947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
Malicious:	false
Reputation:	unknown
Preview:	........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}."........../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q..................................q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	534726
Entropy (8bit):	5.49306456316532
Encrypted:	false
SSDEEP:
MD5:	49CA708EBB7A4913C36F7461F094886B
SHA1:	13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
SHA-256:	8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
SHA-512:	6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...\|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	950999
Entropy (8bit):	4.76377388695373
Encrypted:	false
SSDEEP:
MD5:	9CBC320E39CFF7C29F61BD367C0BF3BB
SHA1:	2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
SHA-256:	E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
SHA-512:	F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
Malicious:	false
Reputation:	unknown
Preview:	........)$..e.H...h.P...i.X...j.b...k.q...l.\|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....\|&.....&.....'.....'....;(....t(.....(....M).....)....;....h....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	430665
Entropy (8bit):	5.517246002357965
Encrypted:	false
SSDEEP:
MD5:	0F1E2BC597771A8DB11D1D3AC59B84F3
SHA1:	C1F782C550AC733852C6BED9AD62AB79FC004049
SHA-256:	E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
SHA-512:	07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
Malicious:	false
Reputation:	unknown
Preview:	.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[............................V.....a................l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	434598
Entropy (8bit):	5.509004494756697
Encrypted:	false
SSDEEP:
MD5:	FEAB603B4C7520CCFA84D48B243B1EC0
SHA1:	E04138F1C2928D8EECE6037025B4DA2995F13CB4
SHA-256:	C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
SHA-512:	E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...\|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	524728
Entropy (8bit):	5.377464936206393
Encrypted:	false
SSDEEP:
MD5:	32A59B6D9C8CA99FBD77CAA2F586509A
SHA1:	7E8356D940D4D4CC2E673460483656915AA59893
SHA-256:	AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
SHA-512:	860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....\|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	523181
Entropy (8bit):	5.356449408331279
Encrypted:	false
SSDEEP:
MD5:	3D1720FE1D801D54420438A54CBE1547
SHA1:	8B1B0735AE0E473858C59C54111697609831D65A
SHA-256:	AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
SHA-512:	C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.p...j.\|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....\|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z................f.....{...........o.................g...........+.....P.................8.....N.................".....1......................@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	475733
Entropy (8bit):	5.456553040437113
Encrypted:	false
SSDEEP:
MD5:	C00D66D3FD4FD9D777949E2F115F11FB
SHA1:	A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
SHA-256:	26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
SHA-512:	E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
Malicious:	false
Reputation:	unknown
Preview:	........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...\|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	773397
Entropy (8bit):	5.04618630633187
Encrypted:	false
SSDEEP:
MD5:	C998140F7970B81117B073A87430A748
SHA1:	8A6662C3AABDAC68083A4D00862205689008110C
SHA-256:	182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
SHA-512:	5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...\|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....\|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M....p.....*....n+.....+.....+....d,.....-....P-....x-

C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	483378
Entropy (8bit):	5.428549632880935
Encrypted:	false
SSDEEP:
MD5:	1CFD31A6B740D95E4D5D53432743EBF1
SHA1:	20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
SHA-256:	F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
SHA-512:	C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...\|.b...}.t.....\|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	546749
Entropy (8bit):	5.197094281578282
Encrypted:	false
SSDEEP:
MD5:	6EDA0CD3C7D513AAB9856EC504C7D16F
SHA1:	BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
SHA-256:	3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
SHA-512:	47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....\|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	568277
Entropy (8bit):	5.380723339968972
Encrypted:	false
SSDEEP:
MD5:	D185162DF4CAC9DCE7D70926099D1CF1
SHA1:	46594ADB3FC06A090675CA48FFA943E299874BBD
SHA-256:	E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
SHA-512:	987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
Malicious:	false
Reputation:	unknown
Preview:	.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1103776
Entropy (8bit):	4.336526106451521
Encrypted:	false
SSDEEP:
MD5:	44F704DB17F0203FA5195DC4572C946C
SHA1:	205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
SHA-256:	4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
SHA-512:	3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
Malicious:	false
Reputation:	unknown
Preview:	........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...\|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....\|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....\|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....\|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....\|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	681555
Entropy (8bit):	4.658620623200349
Encrypted:	false
SSDEEP:
MD5:	E75086A24ECAA25CD18D547AB041C65A
SHA1:	C88CE46E6321E4A21032308DFD72C272FB267DBD
SHA-256:	55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
SHA-512:	01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....\|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1167065
Entropy (8bit):	4.308980564019689
Encrypted:	false
SSDEEP:
MD5:	1FF8A0B82218A956D2701A5E4BFA84EF
SHA1:	56BB8218963E14ADCC435F2455891F3A0453D053
SHA-256:	62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
SHA-512:	3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y..........}...........;........................................[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6..........*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	526575
Entropy (8bit):	5.518614920030561
Encrypted:	false
SSDEEP:
MD5:	0BD2F9847C151F9A6FC0D59A0074770C
SHA1:	EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
SHA-256:	5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
SHA-512:	0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
Malicious:	false
Reputation:	unknown
Preview:	........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...\|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	566819
Entropy (8bit):	5.6387082185760935
Encrypted:	false
SSDEEP:
MD5:	4C27A1C79AB9A058C0A7DFFD22134AFD
SHA1:	5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
SHA-256:	AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
SHA-512:	0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.............................................".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	466959
Entropy (8bit):	5.379636778781472
Encrypted:	false
SSDEEP:
MD5:	1466C484179769A2263542E943742E59
SHA1:	18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
SHA-256:	C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
SHA-512:	ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
Malicious:	false
Reputation:	unknown
Preview:	........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....\|.......................C.....b.....r...........1.....h.

C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	522800
Entropy (8bit):	5.284113957149261
Encrypted:	false
SSDEEP:
MD5:	7767A70358D0AE6D408FF979DF9B2CD4
SHA1:	9C57A5B068DC12AAF1591778DEF5D3696377EDAB
SHA-256:	672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
SHA-512:	913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
Malicious:	false
Reputation:	unknown
Preview:	........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2..................................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x..............................................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	634636
Entropy (8bit):	5.718480148171718
Encrypted:	false
SSDEEP:
MD5:	4A4AF69546DCF65F2D722A574E221BEA
SHA1:	EE51613F111CF5B06F5605B629952EFFE0350870
SHA-256:	7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
SHA-512:	0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
Malicious:	false
Reputation:	unknown
Preview:	........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...\|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U................d.....z....."................?...........X.................`.................@.................g............ ..... ..... .....

C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1256908
Entropy (8bit):	4.247594585839553
Encrypted:	false
SSDEEP:
MD5:	6A41A5AB03A22BDAEC7985B9A75EC11A
SHA1:	6BB02DF557BD6522E02FE026C0243BEB9332B2E5
SHA-256:	E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
SHA-512:	BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
Malicious:	false
Reputation:	unknown
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[......................................................................u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N...............,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532715
Entropy (8bit):	6.0824169765918725
Encrypted:	false
SSDEEP:
MD5:	5FD9942F57FFC499481947DB0C3FDFA7
SHA1:	4D60AB21305902877467FF6151C1B7AB12553AAE
SHA-256:	09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
SHA-512:	97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
Malicious:	false
Reputation:	unknown
Preview:	........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...\|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	573015
Entropy (8bit):	5.63016577624216
Encrypted:	false
SSDEEP:
MD5:	8745B87D09D9ECC1112C60F5DD934034
SHA1:	2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
SHA-256:	D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
SHA-512:	27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
Malicious:	false
Reputation:	unknown
Preview:	........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	570683
Entropy (8bit):	5.624052036286866
Encrypted:	false
SSDEEP:
MD5:	E16B0B814074ACBD3A72AF677AC7BE84
SHA1:	10744490B3E40BEB939B3FDCA411075A85A34794
SHA-256:	46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
SHA-512:	70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
Malicious:	false
Reputation:	unknown
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................\|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1307271
Entropy (8bit):	4.279854356980692
Encrypted:	false
SSDEEP:
MD5:	309E068B4E15157486D095301370B234
SHA1:	D962CDAF9361767045A928966F4323EAD22D9B37
SHA-256:	4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
SHA-512:	6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
Malicious:	false
Reputation:	unknown
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...\|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................\|............ ..... .....!.....!....".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....)..........*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....\|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1075591
Entropy (8bit):	4.313573412022857
Encrypted:	false
SSDEEP:
MD5:	69C36C23D6D9841F4362FF3A0F86CFDF
SHA1:	C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
SHA-256:	6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
SHA-512:	8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).........y.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	489457
Entropy (8bit):	5.250540323172458
Encrypted:	false
SSDEEP:
MD5:	A1253E64F8910162B15B56883798E3C0
SHA1:	68D402D94D2145704DC3760914BF616CC71FC65D
SHA-256:	E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
SHA-512:	ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
Malicious:	false
Reputation:	unknown
Preview:	........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...\|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	476208
Entropy (8bit):	5.4272499712806965
Encrypted:	false
SSDEEP:
MD5:	622ED80836E0EF3F949ED8A379CBE6DF
SHA1:	9A94CD80E747B88582470EF49B7337B9E5DE6C28
SHA-256:	560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
SHA-512:	950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
Malicious:	false
Reputation:	unknown
Preview:	........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....\|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	491139
Entropy (8bit):	5.362822162782947
Encrypted:	false
SSDEEP:
MD5:	C8378A81039DB6943F97286CC8C629F1
SHA1:	758D9AB331C394709F097361612C6D44BDE4E8FE
SHA-256:	318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
SHA-512:	6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
Malicious:	false
Reputation:	unknown
Preview:	.........$..e....h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................#..........1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................\|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	550453
Entropy (8bit):	5.757462673735937
Encrypted:	false
SSDEEP:
MD5:	80C5893068C1D6CE9AEF23525ECAD83C
SHA1:	A2A7ADEE70503771483A2500786BF0D707B3DF6B
SHA-256:	0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
SHA-512:	3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
Malicious:	false
Reputation:	unknown
Preview:	........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	516256
Entropy (8bit):	5.426294949123783
Encrypted:	false
SSDEEP:
MD5:	3BA426E91C34E1C33F13912974835F7D
SHA1:	467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
SHA-256:	CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
SHA-512:	824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
Malicious:	false
Reputation:	unknown
Preview:	........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...\|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	518861
Entropy (8bit):	5.4029194034596575
Encrypted:	false
SSDEEP:
MD5:	4D7D724BE592BD0280ED28388EAA8D43
SHA1:	8E3C46B77639EB480A90AD27383FBB14C4176960
SHA-256:	4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
SHA-512:	D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
Malicious:	false
Reputation:	unknown
Preview:	........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...\|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....\|...........J.......

C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537125
Entropy (8bit):	5.4566742297332596
Encrypted:	false
SSDEEP:
MD5:	4F1C0A8632218F6FEF6BAB0917BEB84F
SHA1:	05E497C8525CB1ADE6A0DAEFE09370EC45176E35
SHA-256:	9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
SHA-512:	A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
Malicious:	false
Reputation:	unknown
Preview:	........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	878725
Entropy (8bit):	4.848685093578222
Encrypted:	false
SSDEEP:
MD5:	3A3D0D865A78399306924D3ED058274E
SHA1:	AA1A42DB6021666B2297A65094D29978792CE29B
SHA-256:	EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
SHA-512:	ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
Malicious:	false
Reputation:	unknown
Preview:	.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....\|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]..........+....$+.....+.....,.....-

C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	553886
Entropy (8bit):	5.812150703289796
Encrypted:	false
SSDEEP:
MD5:	A9656846F66A36BB399B65F7B702B47D
SHA1:	4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
SHA-256:	02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
SHA-512:	7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.\|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....\|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532410
Entropy (8bit):	5.486224954097277
Encrypted:	false
SSDEEP:
MD5:	BE49BB186EF62F55E27FF6B5FD5933F4
SHA1:	84CFD05C52A09B4E6FA62ADCAF71585538CF688E
SHA-256:	833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
SHA-512:	1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....\|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	818089
Entropy (8bit):	4.779985663253385
Encrypted:	false
SSDEEP:
MD5:	AFA2DFBA3BD71FE0307BFFB647CDCD98
SHA1:	CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
SHA-256:	1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
SHA-512:	CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
Malicious:	false
Reputation:	unknown
Preview:	........=$\|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...\|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........\|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	479512
Entropy (8bit):	5.541069475898216
Encrypted:	false
SSDEEP:
MD5:	09592A0D35100CD9707C278C9FFC7618
SHA1:	B23EEF11D7521721A7D6742202209E4FE0539566
SHA-256:	9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
SHA-512:	E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.\|...t.....v.....w.....y.....z.....\|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................\|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	504856
Entropy (8bit):	5.34516819438501
Encrypted:	false
SSDEEP:
MD5:	9E038A0D222055FED6F1883992DCA5A8
SHA1:	8FA17648492D7F093F89E8E98BF29C3725E3B4B5
SHA-256:	DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
SHA-512:	FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
Malicious:	false
Reputation:	unknown
Preview:	........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1298313
Entropy (8bit):	4.058495187693592
Encrypted:	false
SSDEEP:
MD5:	36104CB0D5E26E0BBB313E529C14F4B4
SHA1:	69A509DEE8419DA719DCF6DE78BFE0A6737508C5
SHA-256:	DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
SHA-512:	D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4..........*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1199612
Entropy (8bit):	4.314031920337284
Encrypted:	false
SSDEEP:
MD5:	98714389748A98ECC536CD2F17859BDF
SHA1:	07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
SHA-256:	8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
SHA-512:	38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
Malicious:	false
Reputation:	unknown
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...\|.]...}.o.....w.....\|.......................................................................X...........J...........\|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....$....k$.....%.....&....6'.....'.....(.....)........._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1008989
Entropy (8bit):	4.356501290091745
Encrypted:	false
SSDEEP:
MD5:	56F29DE3465795E781A52FCF736BBE08
SHA1:	EAA406E5ED938468760A29D18C8C3F16CF142472
SHA-256:	529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
SHA-512:	519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
Malicious:	false
Reputation:	unknown
Preview:	........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...\|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....\|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....)...............+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	515329
Entropy (8bit):	5.616482888977033
Encrypted:	false
SSDEEP:
MD5:	46CA9EE922C3C175DE466066F40B29CE
SHA1:	5563E236A15CD9CC44AE859165DF1E4E722936C7
SHA-256:	BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
SHA-512:	45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
Malicious:	false
Reputation:	unknown
Preview:	........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...\|.\|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	876131
Entropy (8bit):	4.88404350774067
Encrypted:	false
SSDEEP:
MD5:	1365ABDD1EFB44720EA3975E4A472530
SHA1:	8421FC4905C592EB1269C5D524AA46866D617D3C
SHA-256:	29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
SHA-512:	2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...\|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........\|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	765853
Entropy (8bit):	5.17061834928747
Encrypted:	false
SSDEEP:
MD5:	3FED15E64BEAFBA75DE61B08A45AE106
SHA1:	E24953271D8C0254AD011D3A65B2C2FA57903681
SHA-256:	B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
SHA-512:	3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
Malicious:	false
Reputation:	unknown
Preview:	........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....\|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s............................p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3..............]+.....+.....,....F,.....,....z-.....-

C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	609259
Entropy (8bit):	5.796202390024141
Encrypted:	false
SSDEEP:
MD5:	CD741C24AF7597E0DC11069D3AC324E0
SHA1:	2A883DFBCF48D5093D70D4B77BBFFFA521287334
SHA-256:	13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
SHA-512:	6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r....s.;...t.D...v.Y...w.f...y.l...z.{...\|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._..................................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	441207
Entropy (8bit):	6.685712707138377
Encrypted:	false
SSDEEP:
MD5:	99E6ACFB46923C4F8B29058E9EE6166B
SHA1:	AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
SHA-256:	9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
SHA-512:	4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....\|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................\|.......................x.

C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	439630
Entropy (8bit):	6.6906570508767995
Encrypted:	false
SSDEEP:
MD5:	BB7C995F257B9125457381BB01856D72
SHA1:	21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
SHA-256:	F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
SHA-512:	5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
Malicious:	false
Reputation:	unknown
Preview:	.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....\|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

C:\Users\user\AppData\Roaming\GamePall\log4net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	5.778490068583466
Encrypted:	false
SSDEEP:
MD5:	7EA1429E71D83A1CCAA0942C4D7F1C41
SHA1:	4CE6ACF4D735354B98F416B3D94D89AF0611E563
SHA-256:	EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
SHA-512:	91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>....?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}.......0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4.............//........{...."..}......{........0..4..........%...(5....-.~....r?..p(....+...}.......,..(6............')........{......{...."..}.......{...."..}....*.0..........

C:\Users\user\AppData\Roaming\GamePall\log4net.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1547797
Entropy (8bit):	4.370092880615517
Encrypted:	false
SSDEEP:
MD5:	32AB4E0A9A82245EE3B474EF811F558F
SHA1:	9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
SHA-256:	9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
SHA-512:	A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	342741
Entropy (8bit):	5.496697631795104
Encrypted:	false
SSDEEP:
MD5:	A58DB728B50E6B82CBDCAA0DB61D36B1
SHA1:	7CD76526CB29A0FF5350A2B52D48D1886360458B
SHA-256:	BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
SHA-512:	0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
Malicious:	false
Reputation:	unknown
Preview:	..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

C:\Users\user\AppData\Roaming\GamePall\resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	8226870
Entropy (8bit):	7.996842728494533
Encrypted:	true
SSDEEP:
MD5:	F7EC58AEA756F3FD8A055AC582103A78
SHA1:	086B63691F5E5375A537E99E062345F56512A22C
SHA-256:	517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
SHA-512:	C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
Malicious:	false
Reputation:	unknown
Preview:	............f.6:..{..D..\|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.\|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	276319
Entropy (8bit):	4.242318669799302
Encrypted:	false
SSDEEP:
MD5:	8234983533FA47D2A1D7710FF8274299
SHA1:	E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
SHA-256:	F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
SHA-512:	1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
Malicious:	false
Reputation:	unknown
Preview:	.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\start.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.8731406795131327
Encrypted:	false
SSDEEP:
MD5:	2C66F3C2190A84FAFD4449DAF6440EAC
SHA1:	7B9E4C94329FE26C34E63AB8336227FD5EB553E9
SHA-256:	58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
SHA-512:	62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
Malicious:	false
Reputation:	unknown
Preview:	start GamePall.exe OuWe5kl

C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	MSVC program database ver 7.00, 512*4023 bytes
Category:	dropped
Size (bytes):	2059776
Entropy (8bit):	4.067542396670122
Encrypted:	false
SSDEEP:
MD5:	70F9EAEA8A2A604E59F72EDE66F83AB4
SHA1:	0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
SHA-256:	38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
SHA-512:	47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
Malicious:	false
Reputation:	unknown
Preview:	Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	6.54104466243173
Encrypted:	false
SSDEEP:
MD5:	7A53AD3E5D2E65C982450E7B7453DE8A
SHA1:	99F27E54F1F61207C02110CAC476405557A8AD54
SHA-256:	24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
SHA-512:	2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2445312
Entropy (8bit):	6.750207745422387
Encrypted:	false
SSDEEP:
MD5:	334C3157E63A34B22CCE25A44A04835F
SHA1:	C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
SHA-256:	3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
SHA-512:	11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	631017
Entropy (8bit):	5.144793130466209
Encrypted:	false
SSDEEP:
MD5:	0794DF29DF8DFC3ECE5C443F864F5AEB
SHA1:	BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
SHA-256:	3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
SHA-512:	0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
Malicious:	false
Reputation:	unknown
Preview:	..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4400640
Entropy (8bit):	6.667314807988382
Encrypted:	false
SSDEEP:
MD5:	7F913E31D00082338F073EF60D67B335
SHA1:	AC831B45F2A32E23BA9046044508E47E04CDA3A4
SHA-256:	B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
SHA-512:	E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Reputation:	unknown
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826368
Entropy (8bit):	6.78646032943732
Encrypted:	false
SSDEEP:
MD5:	A031EB19C61942A26EF74500AD4B42DF
SHA1:	FDC6EA473234F153639E963E8EFB8D028DA1BE20
SHA-256:	207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
SHA-512:	80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....\|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......\|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.566524833521835
Encrypted:	false
SSDEEP:
MD5:	6D7FD214164C858BBCF4AA050C114E8C
SHA1:	B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
SHA-256:	3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
SHA-512:	0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\svgbeht

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	6.489617687005425
Encrypted:	false
SSDEEP:
MD5:	17CB739C8FD07235FD29FBAAB85E7777
SHA1:	BB8B921ACB8CCE657068485C5D55F411318B7955
SHA-256:	DD6F8DADDB7DA0E8B9BE526FC3AA9C5F0808FE6926CA7A9648464F9B4F8140E1
SHA-512:	BBBAE466825BC0B104E359CCEB8C199FCEE60CAB406AF6609FA76836DBD154840D84B0A1C3D725BA5378B1742E2C6B29AE38A1BF0F00488BB0845F96AB8CC312
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........u.....j.......t.......q.....Rich............PE..L......c.................j...80...................@...........................1................................................P.....0.................................................................................\|............................text...Ri.......j.................. ..`.rdata..` ......."...n..............@..@.data...H...........................@....rsrc.........0.....................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\svgbeht:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.489617687005425
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe
File size:	176'128 bytes
MD5:	17cb739c8fd07235fd29fbaab85e7777
SHA1:	bb8b921acb8cce657068485c5d55f411318b7955
SHA256:	dd6f8daddb7da0e8b9be526fc3aa9c5f0808fe6926ca7a9648464f9b4f8140e1
SHA512:	bbbae466825bc0b104e359cceb8c199fcee60cab406af6609fa76836dbd154840d84b0a1c3d725ba5378b1742e2c6b29ae38a1bf0f00488bb0845f96ab8cc312
SSDEEP:	3072:MZ5xLNH3z7d9PdCXLDCcb4BFD1jXhPtP5auNDW1KuU3:i5xLNHcXPCcb6Tp7
TLSH:	1D04381075F69127FFF78B312A74A6901A3BBC636A70818E3650F24E1EB36D18DA1753
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........u.....j.......t.......q.....Rich............PE..L......c.................j.

File Icon


Icon Hash:	cb97334d5155599a

Static PE Info

General

Entrypoint:	0x401908
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x63E3BE81 [Wed Feb 8 15:23:45 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a2f98760372f92ec7255c044ca187eb8

Entrypoint Preview

Instruction
call 00007F1C30E9F075h
jmp 00007F1C30E9B33Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041C918h], eax
mov dword ptr [0041C914h], ecx
mov dword ptr [0041C910h], edx
mov dword ptr [0041C90Ch], ebx
mov dword ptr [0041C908h], esi
mov dword ptr [0041C904h], edi
mov word ptr [0041C930h], ss
mov word ptr [0041C924h], cs
mov word ptr [0041C900h], ds
mov word ptr [0041C8FCh], es
mov word ptr [0041C8F8h], fs
mov word ptr [0041C8F4h], gs
pushfd
pop dword ptr [0041C928h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041C91Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041C920h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041C92Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041C868h], 00010001h
mov eax, dword ptr [0041C920h]
mov dword ptr [0041C81Ch], eax
mov dword ptr [0041C810h], C0000409h
mov dword ptr [0041C814h], 00000001h
mov eax, dword ptr [0041B004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041B008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x197ec	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2308000	0x101d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16952	0x16a00	a137aa6dec0ff3bfdac4ecf0369f766e	False	0.8033710290055248	data	7.5001533145273696	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x2060	0x2200	fe32a06b6049963eaaffd1c402b49757	False	0.3508731617647059	data	5.3886273312215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x22ec548	0x1e00	381994e863c4c1b5db868c46593cca32	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2308000	0x101d8	0x10200	5aadaab100e8ddd94d42f3d200070c23	False	0.45884811046511625	data	4.996815537368121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
NUSUTUMA	0x230ef08	0x3fa	ASCII text, with very long lines (1018), with no line terminators	Turkish	Turkey	0.6277013752455796
RT_CURSOR	0x230f308	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x230f438	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x23086d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.6095415778251599
RT_ICON	0x2309578	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.694043321299639
RT_ICON	0x2309e20	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.7523041474654378
RT_ICON	0x230a4e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7947976878612717
RT_ICON	0x230aa50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5955394190871369
RT_ICON	0x230cff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.725609756097561
RT_ICON	0x230e0a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.7385245901639345
RT_ICON	0x230ea28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.8865248226950354
RT_STRING	0x2311bb8	0xaa	data			0.611764705882353
RT_STRING	0x2311c68	0x6e	data			0.6
RT_STRING	0x2311cd8	0x6b2	data			0.4305717619603267
RT_STRING	0x2312390	0x688	data			0.4342105263157895
RT_STRING	0x2312a18	0x6a4	data			0.42764705882352944
RT_STRING	0x23130c0	0x202	data			0.5019455252918288
RT_STRING	0x23132c8	0x6a4	data			0.42705882352941177
RT_STRING	0x2313970	0x6d8	data			0.4297945205479452
RT_STRING	0x2314048	0x7e0	data			0.42162698412698413
RT_STRING	0x2314828	0x71a	data			0.42684268426842686
RT_STRING	0x2314f48	0x698	data			0.4277251184834123
RT_STRING	0x23155e0	0x798	data			0.4202674897119342
RT_STRING	0x2315d78	0x6dc	data			0.4299544419134396
RT_STRING	0x2316458	0x82c	data			0.41634799235181646
RT_STRING	0x2316c88	0x672	data			0.44
RT_STRING	0x2317300	0x752	data			0.4247598719316969
RT_STRING	0x2317a58	0x724	data			0.424507658643326
RT_STRING	0x2318180	0x52	data			0.6585365853658537
RT_GROUP_CURSOR	0x23119e0	0x22	data			1.088235294117647
RT_GROUP_ICON	0x230ee90	0x76	data	Turkish	Turkey	0.6610169491525424
RT_VERSION	0x2311a08	0x1b0	data			0.5972222222222222

Imports

DLL	Import
KERNEL32.dll	CreateJobObjectW, GetModuleHandleExW, SetVolumeMountPointW, GetComputerNameW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, GetConsoleAliasExesLengthW, lstrcpynW, WriteConsoleW, GetModuleFileNameW, ZombifyActCtx, GetLastError, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, SetFileApisToANSI, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, GetConsoleAliasesW, OpenJobObjectA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
GDI32.dll	GetBoundsRect
ole32.dll	CoTaskMemRealloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Target ID:	0
Start time:	19:38:50
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe"
Imagebase:	0x400000
File size:	176'128 bytes
MD5 hash:	17CB739C8FD07235FD29FBAAB85E7777
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:39:03
Start date:	02/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:39:21
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\svgbeht
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svgbeht
Imagebase:	0x400000
File size:	176'128 bytes
MD5 hash:	17CB739C8FD07235FD29FBAAB85E7777
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:39:35
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Local\Temp\53FF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\53FF.exe
Imagebase:	0xcc0000
File size:	6'642'176 bytes
MD5 hash:	BD2EAC64CBDED877608468D86786594A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2516799082.000000000069C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2516945580.000000000069C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:39:44
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Local\Temp\7719.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\7719.exe
Imagebase:	0x400000
File size:	293'869 bytes
MD5 hash:	60172CA946DE57C3529E9F05CC502870
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:39:50
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Local\Temp\96C7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\96C7.exe
Imagebase:	0xe40000
File size:	578'048 bytes
MD5 hash:	DA4B6F39FC024D2383D4BFE7F67F1EE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 16%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:40:01
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\svgbeht
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svgbeht
Imagebase:	0x400000
File size:	176'128 bytes
MD5 hash:	17CB739C8FD07235FD29FBAAB85E7777
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:41:08
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Local\Temp\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\setup.exe"
Imagebase:	0x400000
File size:	107'232'830 bytes
MD5 hash:	FF2293FBFF53F4BD2BFF91780FABFD60
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:41:40
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Imagebase:	0x7d0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:41:47
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xa0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	19:41:47
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Imagebase:	0x240000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:41:47
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0x900000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:41:47
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0xcf0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:41:47
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x350000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:41:48
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0xe60000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	19:41:48
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x5b0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:41:49
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x280000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:41:49
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x5b0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:41:51
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xb30000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	19:41:52
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xc60000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	19:41:52
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xc00000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	19:41:53
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xc0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	19:41:53
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x810000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	19:41:53
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x7f0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	19:41:54
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x7e0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	19:41:54
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xfe0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	19:41:55
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x4c0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	19:41:55
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xba0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	19:41:55
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x490000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	19:41:56
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x9e0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	19:41:56
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x6c0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	19:41:57
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xf30000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	19:41:58
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x1c0000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	19:41:58
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x90000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	19:41:58
Start date:	02/07/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x140000
File size:	296'448 bytes
MD5 hash:	7A3502C1119795D35569535DE243B6FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	20.6%
Signature Coverage:	45.4%
Total number of Nodes:	141
Total number of Limit Nodes:	5

Executed Functions

Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69

Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65

Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24

Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64

Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64

Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64

Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64

Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040311D
NtTerminateProcess.NTDLL ref: 00403136

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5

Function 0298F452 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0298F47A
Module32First.KERNEL32(00000000,00000224), ref: 0298F49A

Memory Dump Source

Source File: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0298C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_298c000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: f0cc74f414590891307db849a3d6c40b24ff9e39b5db8aa2a2ca6e5fb65f32d8
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C1F0F6312007106FD7203BF5EC8CB6EB2ECFF48325F54512AE646928C0DB70E8454A60

Function 00417640 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 218
stringmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,00000000), ref: 004176D4
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004176E2
WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 004176F9
lstrcpynW.KERNEL32(?,00000000,00000000), ref: 00417710
GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417719
SetFileApisToANSI.KERNEL32 ref: 0041771F
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00417760
SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00417768
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00417777
EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00417780
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 00417792
GetModuleHandleExW.KERNEL32(00000000,0041931C,?), ref: 004177AE
GlobalAlloc.KERNEL32(00000000,00000000), ref: 004177D9
AddAtomA.KERNEL32(00000000), ref: 004177E0
GetCommProperties.KERNELBASE(00000000,?), ref: 004177EE
GetTickCount.KERNEL32 ref: 004177F4
GetLastError.KERNEL32 ref: 004177FA
ZombifyActCtx.KERNEL32(00000000), ref: 0041780D
GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 0041781C
FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417838
LoadLibraryA.KERNELBASE(004193A0), ref: 004178E1

Strings

k`, xrefs: 004178F6
tl_, xrefs: 004176B4
}$, xrefs: 00417903

Memory Dump Source

Source File: 00000000.00000002.2122301064.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_SecuriteInfo.jbxd

Similarity

API ID: Console$AtomFileModuleName$AliasesAllocApisBoundsCommCountDateEnumErrorExchangeFoldFormatsGlobalHandleInterlockedLastLibraryLoadMountOutputPointPropertiesReadRectStringTickVolumeWriteZombifylstrcatlstrcpyn
String ID: k`$tl_$}$
API String ID: 3342591227-211918992
Opcode ID: 0b436240d99ffb49eba0d716691840d996ebfc4b3f18bc31f3653c2c31673b30
Instruction ID: be13a3e2899ae1437650d09e993ac3f4cd5df6ea62933a217ab08d843738736c
Opcode Fuzzy Hash: 0b436240d99ffb49eba0d716691840d996ebfc4b3f18bc31f3653c2c31673b30
Instruction Fuzzy Hash: A171AB71845528AFD721AB65DC88CDF7B78FF09354B00846AF505E2160CF388A89CFAD

Function 0296003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0296024D

Strings

cess, xrefs: 0296018D
kernel32.dll, xrefs: 0296008F, 02960095

Memory Dump Source

Source File: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2960000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 6e77b96c3b19d6afac54f34560a48f2c741349d8aec6d8f15dddb1e2824a2581
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: C5526874A01229DFDB64CF68C984BACBBB5BF09304F1480D9E94DAB351DB30AA95DF14

Function 02960E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02960223,?,?), ref: 02960E19
SetErrorMode.KERNELBASE(00000000,?,?,02960223,?,?), ref: 02960E1E

Memory Dump Source

Source File: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2960000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 22603c25c05b888d43f7013e6a3eb623d00899a63bb9d0e3a9aa15ba1703fed2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: A7D0123154512877D7012AD4DC0DBDD7B5CDF05B66F008011FB0DD9080C770954046E5

Function 004173C2 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000040,?), ref: 004173D8

Memory Dump Source

Source File: 00000000.00000002.2122301064.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68

Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F

Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F

Function 0298F111 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0298F162

Memory Dump Source

Source File: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0298C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_298c000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2afc5fc8ea27ff1f271ab40a2397fc04a2682b45fefe0cc2998e54068d086746
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 33113F79A00208EFDB01DF98C985E98BBF5EF08351F498094F9489B361D371EA50DF90

Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F

Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F

Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2122285089.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

Function 004173A1 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0041788F), ref: 004173AB

Memory Dump Source

Source File: 00000000.00000002.2122301064.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_SecuriteInfo.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: cb277be0a3992133d9d926f909f17ca531406a750540cb22e4a7424897a2784b
Instruction ID: 43d98c38037be9b0da97174d463232e07300d4bae8a73e002124a5be647132f1
Opcode Fuzzy Hash: cb277be0a3992133d9d926f909f17ca531406a750540cb22e4a7424897a2784b
Instruction Fuzzy Hash: 3CB09270845205CAE2005F70D84470EBFE1FB4C202F828829E40496284DAB114089E60

Function 004173A3 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0041788F), ref: 004173AB

Memory Dump Source

Source File: 00000000.00000002.2122301064.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_SecuriteInfo.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
Instruction ID: d55db0c2126c828c826ef05274ed4aaa6eabc9571a3453db39e0ff1d3a989bdf
Opcode Fuzzy Hash: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
Instruction Fuzzy Hash: B6B01270C80204DFDB000FB0EC44B0C7FA1B30C302F40C415F50441158CFB004289F20

Non-executed Functions

Function 0296092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 029609DC, 029609DF, 029609E4
l, xrefs: 02960966
., xrefs: 0296095F

Memory Dump Source

Source File: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2960000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 1231f6e8aa48de1049799fb74017cf9ccd4f89386f048eae9ae1703ef24d7c96
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 0B3138B6900609DFDB10CF99C884BAEBBFAFF48324F15454AD841A7350D771EA45CBA4

Function 0298ED2F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0298C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_298c000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 037ae27ae85b366cb358d37d60d8b02c1735030f560b8c360f15ad65ac2d92c1
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 34118E72340100AFDB44EF55DC90EA673EAEF89320B1D8065ED08CB351F679E842CB60

Function 02960D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2960000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: d6dbec18302e7b488ac1aa88345d410c5350bde75b78d0254e7aa6f25f618f44
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 9801F272A106008FDF21CF60C898BBE33E9FF86206F0541A4D90B9B281E370A8418B80

Function 00417526 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041753D
OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 0041755A
BuildCommDCBW.KERNEL32(00000000,?), ref: 00417565
LoadLibraryA.KERNEL32(00000000), ref: 0041756C

Memory Dump Source

Source File: 00000000.00000002.2122301064.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_SecuriteInfo.jbxd

Similarity

API ID: Object$BuildCommCreateLibraryLoadOpen
String ID:
API String ID: 2043902199-0
Opcode ID: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
Instruction ID: 90512e1d2625494c81f44d3c8dd56ea1961f3cc6f9370a523a930c536b4937fe
Opcode Fuzzy Hash: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
Instruction Fuzzy Hash: DDE0C931842528EFC7116B65EC488DF7FADFF0A359B41C025F50591115DB784A49CFE9

Function 004173E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(02705280), ref: 004174AC
GetProcAddress.KERNEL32(00000000,0041D350), ref: 004174E9

Strings

, xrefs: 00417432

Memory Dump Source

Source File: 00000000.00000002.2122301064.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
Instruction ID: 45946ed8e24b5ff65f6d6728d957c430149eac3a472d67054be7f2f938815656
Opcode Fuzzy Hash: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
Instruction Fuzzy Hash: 0A31A0B5D883C4DCF30187A4B8497B23B61AB15B04F48882AD954CB2A5D7FA1458C72F

Function 0041757D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 004175C5
SleepEx.KERNEL32(00000000,00000000), ref: 004175CF

Strings

-, xrefs: 004175DB

Memory Dump Source

Source File: 00000000.00000002.2122301064.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_SecuriteInfo.jbxd

Similarity

API ID: ComputerNameSleep
String ID: -
API String ID: 3354815184-2547889144
Opcode ID: c1331dce079a91ad5d80a21376cde5ad65eb13f020d06da4c1b01d90ac832ba8
Instruction ID: ebeafa1bb34f9a4184a15c16daf5d23565cbd7f10216a92778f2b2cd1c8db9a3
Opcode Fuzzy Hash: c1331dce079a91ad5d80a21376cde5ad65eb13f020d06da4c1b01d90ac832ba8
Instruction Fuzzy Hash: 7901D630804218E6C7609F64D881BDEBBF8FB08324F5181AAE58196085CF345ACC8FD9

Analysis Process: svgbehtPID: 5988, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	20.6%
Signature Coverage:	0%
Total number of Nodes:	141
Total number of Limit Nodes:	5

Executed Functions

Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69

Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65

Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24

Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64

Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64

Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64

Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64

Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040311D
NtTerminateProcess.NTDLL ref: 00403136

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5

Function 00417640 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 218
stringmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,00000000), ref: 004176D4
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004176E2
WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 004176F9
lstrcpynW.KERNEL32(?,00000000,00000000), ref: 00417710
GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417719
SetFileApisToANSI.KERNEL32 ref: 0041771F
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00417760
SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00417768
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00417777
EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00417780
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 00417792
GetModuleHandleExW.KERNEL32(00000000,0041931C,?), ref: 004177AE
GlobalAlloc.KERNEL32(00000000,00000000), ref: 004177D9
AddAtomA.KERNEL32(00000000), ref: 004177E0
GetCommProperties.KERNELBASE(00000000,?), ref: 004177EE
GetTickCount.KERNEL32 ref: 004177F4
GetLastError.KERNEL32 ref: 004177FA
ZombifyActCtx.KERNEL32(00000000), ref: 0041780D
GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 0041781C
FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417838
LoadLibraryA.KERNELBASE(004193A0), ref: 004178E1

Strings

k`, xrefs: 004178F6
}$, xrefs: 00417903
tl_, xrefs: 004176B4

Memory Dump Source

Source File: 00000004.00000002.2415007861.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_svgbeht.jbxd

Similarity

API ID: Console$AtomFileModuleName$AliasesAllocApisBoundsCommCountDateEnumErrorExchangeFoldFormatsGlobalHandleInterlockedLastLibraryLoadMountOutputPointPropertiesReadRectStringTickVolumeWriteZombifylstrcatlstrcpyn
String ID: k`$tl_$}$
API String ID: 3342591227-211918992
Opcode ID: 0b436240d99ffb49eba0d716691840d996ebfc4b3f18bc31f3653c2c31673b30
Instruction ID: be13a3e2899ae1437650d09e993ac3f4cd5df6ea62933a217ab08d843738736c
Opcode Fuzzy Hash: 0b436240d99ffb49eba0d716691840d996ebfc4b3f18bc31f3653c2c31673b30
Instruction Fuzzy Hash: A171AB71845528AFD721AB65DC88CDF7B78FF09354B00846AF505E2160CF388A89CFAD

Function 027D003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 027D024D

Strings

cess, xrefs: 027D018D
kernel32.dll, xrefs: 027D008F, 027D0095

Memory Dump Source

Source File: 00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27d0000_svgbeht.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: c10c1d7b8c9f6142fd5232d8371c4fcc9ca25e7ce03bebfb497afce505a7fb83
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 0F526974A01229DFDB64CF68C985BACBBB1BF09314F1480D9E94DAB351DB30AA85CF14

Function 0281EA82 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0281EAAA
Module32First.KERNEL32(00000000,00000224), ref: 0281EACA

Memory Dump Source

Source File: 00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0281B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_281b000_svgbeht.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3dfb681054ccd819d1591cec6b5714e5c9ee52312f2feb088db93e9ff890295b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 12F0963D6007116FE7303BF9A88CB6E76ECBF59665F140529EA4AD24C0DB70E8454A61

Function 027D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,027D0223,?,?), ref: 027D0E19
SetErrorMode.KERNELBASE(00000000,?,?,027D0223,?,?), ref: 027D0E1E

Memory Dump Source

Source File: 00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27d0000_svgbeht.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ea013b037d920d8621447af290953e2f7d6f93f52261fabf6efe13a740b8a391
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D1D0123114512877D7003AA4DC09BCD7B1CDF05B66F008011FB0DD9080C770954046E5

Function 004173C2 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000040,?), ref: 004173D8

Memory Dump Source

Source File: 00000004.00000002.2415007861.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_svgbeht.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68

Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F

Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F

Function 0281E741 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0281E792

Memory Dump Source

Source File: 00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0281B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_281b000_svgbeht.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 604f5ce080b346353084381c9365dca57cea954a9558329fd58aef98e10af702
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 03113C79A00208EFDB01DF98C985E98BBF5EF08750F058094FA489B3A1D371EA50DF81

Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F

Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F

Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000004.00000002.2414955439.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

Function 004173A1 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0041788F), ref: 004173AB

Memory Dump Source

Source File: 00000004.00000002.2415007861.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_svgbeht.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: cb277be0a3992133d9d926f909f17ca531406a750540cb22e4a7424897a2784b
Instruction ID: 43d98c38037be9b0da97174d463232e07300d4bae8a73e002124a5be647132f1
Opcode Fuzzy Hash: cb277be0a3992133d9d926f909f17ca531406a750540cb22e4a7424897a2784b
Instruction Fuzzy Hash: 3CB09270845205CAE2005F70D84470EBFE1FB4C202F828829E40496284DAB114089E60

Function 004173A3 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0041788F), ref: 004173AB

Memory Dump Source

Source File: 00000004.00000002.2415007861.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_svgbeht.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
Instruction ID: d55db0c2126c828c826ef05274ed4aaa6eabc9571a3453db39e0ff1d3a989bdf
Opcode Fuzzy Hash: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
Instruction Fuzzy Hash: B6B01270C80204DFDB000FB0EC44B0C7FA1B30C302F40C415F50441158CFB004289F20

Non-executed Functions

Function 00417526 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041753D
OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 0041755A
BuildCommDCBW.KERNEL32(00000000,?), ref: 00417565
LoadLibraryA.KERNEL32(00000000), ref: 0041756C

Memory Dump Source

Source File: 00000004.00000002.2415007861.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_svgbeht.jbxd

Similarity

API ID: Object$BuildCommCreateLibraryLoadOpen
String ID:
API String ID: 2043902199-0
Opcode ID: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
Instruction ID: 90512e1d2625494c81f44d3c8dd56ea1961f3cc6f9370a523a930c536b4937fe
Opcode Fuzzy Hash: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
Instruction Fuzzy Hash: DDE0C931842528EFC7116B65EC488DF7FADFF0A359B41C025F50591115DB784A49CFE9

Function 004173E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(02705280), ref: 004174AC
GetProcAddress.KERNEL32(00000000,0041D350), ref: 004174E9

Strings

, xrefs: 00417432

Memory Dump Source

Source File: 00000004.00000002.2415007861.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_svgbeht.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
Instruction ID: 45946ed8e24b5ff65f6d6728d957c430149eac3a472d67054be7f2f938815656
Opcode Fuzzy Hash: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
Instruction Fuzzy Hash: 0A31A0B5D883C4DCF30187A4B8497B23B61AB15B04F48882AD954CB2A5D7FA1458C72F

Function 0041757D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 004175C5
SleepEx.KERNEL32(00000000,00000000), ref: 004175CF

Strings

-, xrefs: 004175DB

Memory Dump Source

Source File: 00000004.00000002.2415007861.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_svgbeht.jbxd

Similarity

API ID: ComputerNameSleep
String ID: -
API String ID: 3354815184-2547889144
Opcode ID: c1331dce079a91ad5d80a21376cde5ad65eb13f020d06da4c1b01d90ac832ba8
Instruction ID: ebeafa1bb34f9a4184a15c16daf5d23565cbd7f10216a92778f2b2cd1c8db9a3
Opcode Fuzzy Hash: c1331dce079a91ad5d80a21376cde5ad65eb13f020d06da4c1b01d90ac832ba8
Instruction Fuzzy Hash: 7901D630804218E6C7609F64D881BDEBBF8FB08324F5181AAE58196085CF345ACC8FD9

Analysis Process: 7719.exePID: 2300, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	1454
Total number of Limit Nodes:	33

Executed Functions

Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 004034EF
GetVersionExA.KERNEL32(?), ref: 00403518
GetVersionExA.KERNEL32(0000009C), ref: 0040352F
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
OleInitialize.OLE32(00000000), ref: 0040363C
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
CharNextA.USER32(00000000,C:\Users\user\AppData\Local\Temp\7719.exe,00000020,C:\Users\user\AppData\Local\Temp\7719.exe,00000000,?,00000007,00000009,0000000B), ref: 004036A9
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
ExitProcess.KERNEL32 ref: 004038D4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\7719.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\7719.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\7719.exe,00000000,?,?,00000007,00000009,0000000B), ref: 00403901
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\7719.exe,0041F910,00000001), ref: 0040399B
CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
ExitProcess.KERNEL32 ref: 00403A76

Strings

C:\Users\user\AppData\Roaming\GamePall, xrefs: 00403787, 00403886, 0040392F, 00403939
C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00403891
C:\Users\user\AppData\Local\Temp\7719.exe, xrefs: 00403675, 0040367B, 0040382A
\Temp, xrefs: 004037B9
UXTHEME, xrefs: 004035EC, 004035F1, 004035F7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403797, 0040379C, 004037B2, 004037BE, 004037CD, 004037DA, 004037E6, 004037EE, 004038E4, 004038F5, 00403900, 0040390C, 00403919, 00403928, 004039DD
NSIS Error, xrefs: 00403660
.tmp, xrefs: 004038FB
TMP, xrefs: 004037EF
A, xrefs: 0040356A
Low, xrefs: 004037D5
SeShutdownPrivilege, xrefs: 00403A0B
1033, xrefs: 00403803
Error launching installer, xrefs: 0040386C
C:\Users\user\AppData\Local\Temp, xrefs: 00403906, 0040390B, 00403938
C:\Users\user\AppData\Local\Temp\7719.exe, xrefs: 00403996
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034E1
TEMP, xrefs: 004037E7
~nsu, xrefs: 004038DF
", xrefs: 004036CC

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\7719.exe$C:\Users\user\AppData\Local\Temp\7719.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\update$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-1953766952
Opcode ID: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
Opcode Fuzzy Hash: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E

Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(?), ref: 100010F2

Strings

CreateToolhelp32Snapshot, xrefs: 10001243
Process32Next, xrefs: 10001255
NtQuerySystemInformation, xrefs: 1000113B
NTDLL.DLL, xrefs: 10001127
Process32First, xrefs: 1000124B
KERNEL32.DLL, xrefs: 10001225

Memory Dump Source

Source File: 00000008.00000002.3877749639.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.3877679137.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3877782829.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3877915772.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_7719.jbxd

Similarity

API ID: Version
String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
API String ID: 1889659487-877962304
Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50

Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405B73
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405BBB
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405BDC
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405BE2
FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405BF3
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
FindClose.KERNEL32(00000000), ref: 00405CB1

Strings

C:\Users\user\AppData\Local\Temp\7719.exe, xrefs: 00405B53
\*.*, xrefs: 00405BB5

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\7719.exe$\*.*
API String ID: 2035342205-1058794287
Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69

Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45

Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(75923410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 0040670A
FindClose.KERNEL32(00000000), ref: 00406716

Strings

C:\, xrefs: 004066FF

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC

Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\AppData\Local\Temp\7719.exe,00000009,0000000B), ref: 00403BE9
lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,?,?,C:\Windows\wininit.ini,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410), ref: 00403C5E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
GetFileAttributesA.KERNEL32(C:\Windows\wininit.ini,?,C:\Users\user\AppData\Local\Temp\7719.exe,00000009,0000000B), ref: 00403C7C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

RegisterClassA.USER32(00423EE0), ref: 00403D02
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
ShowWindow.USER32(00000005,00000000,?,C:\Users\user\AppData\Local\Temp\7719.exe,00000009,0000000B), ref: 00403D85
GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
RegisterClassA.USER32(00423EE0), ref: 00403DC7
DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6

Strings

C:\Users\user\AppData\Roaming\GamePall, xrefs: 00403BF8, 00403C00, 00403C98, 00403C9E, 00403CAE
C:\Users\user\AppData\Local\Temp\7719.exe, xrefs: 00403B71
RichEdit, xrefs: 00403DB8
RichEd32, xrefs: 00403D99
RichEd20, xrefs: 00403D8B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403B73
.exe, xrefs: 00403C6B
PB, xrefs: 00403B9A
_Nb, xrefs: 00403CE1, 00403D49
1033, xrefs: 00403B8E, 00403BE4
.DEFAULT\Control Panel\International, xrefs: 00403BD4
Control Panel\Desktop\ResourceLocale, xrefs: 00403BA2
RichEdit20A, xrefs: 00403DA9, 00403DAF
C:\Windows\wininit.ini, xrefs: 00403C2C, 00403C34, 00403C41, 00403C8B, 00403C91
>B, xrefs: 00403CD4

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\7719.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
API String ID: 1975747703-593637053
Opcode ID: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
Opcode Fuzzy Hash: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D

Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\7719.exe,00000400), ref: 00402F8C

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\7719.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\7719.exe,C:\Users\user\AppData\Local\Temp\7719.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117

Strings

C:\Users\user\AppData\Local\Temp\7719.exe, xrefs: 00402F65
Error launching installer, xrefs: 00402FAC
C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
Inst, xrefs: 00403041
C:\Users\user\AppData\Local\Temp\7719.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
Null, xrefs: 00403053
soft, xrefs: 0040304A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\7719.exe$C:\Users\user\AppData\Local\Temp\7719.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2896602306
Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C

Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B

Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
wsprintfA.USER32 ref: 00406066
GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsz7739.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
GlobalFree.KERNEL32(00000000), ref: 0040614F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\7719.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Strings

%s=%s, xrefs: 0040605C
[Rename], xrefs: 004060D0, 004060E2
NUL=C:\Users\user\AppData\Local\Temp\nsz7739.tmp\, xrefs: 00406061, 0040612D
NUL, xrefs: 00406010, 00406029, 0040605B
C:\Windows\wininit.ini, xrefs: 0040603D, 00406043, 0040605A, 0040607C, 00406089

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$C:\Windows\wininit.ini$NUL$NUL=C:\Users\user\AppData\Local\Temp\nsz7739.tmp\$[Rename]
API String ID: 2171350718-2538911122
Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD

Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400), ref: 00406549
GetWindowsDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
SHGetPathFromIDListA.SHELL32(00000000,C:\Windows\wininit.ini), ref: 004065A6
CoTaskMemFree.OLE32(00000000), ref: 004065B2
lstrcatA.KERNEL32(C:\Windows\wininit.ini,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406518
C:\Windows\wininit.ini, xrefs: 00406445, 00406515, 00406516, 00406517, 00406533, 00406548, 0040655B, 00406577, 004065A2, 004065D5, 004065DB, 004065F3, 00406606, 00406621, 00406627, 0040662F, 00406659

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Windows\wininit.ini$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1428620962
Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall\update
API String ID: 1941528284-695118877
Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE

Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
wsprintfA.USER32 ref: 00406776
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A

Strings

%s%s.dll, xrefs: 00406770
UXTHEME, xrefs: 0040672F
\, xrefs: 0040674E

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69

Function 004068D9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 004068E3

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 0-292220189
Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45

Function 00403305 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403319

Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
SetFilePointer.KERNEL32(?,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403379, 0040337F

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 1092082344-292220189
Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD

Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F5E
GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78

Strings

nsa, xrefs: 00405F55
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4D

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E

Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
C:\Users\user\AppData\Local\Temp\nsz7739.tmp\, xrefs: 00403AB2

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsz7739.tmp\
API String ID: 2962429428-2293531913
Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9

Function 004031FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403277, 0040328E, 004032A4

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: FilePointer
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 973152223-292220189
Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2

SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401631

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\GamePall\update
API String ID: 1892508949-2725132131
Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E

Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405E5B
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 00405E6B

Strings

C:\, xrefs: 00405E0E, 00405E13, 00405E19, 00405E54, 00405E5A, 00405E62, 00405E6A

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE

Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45

Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45

Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45

Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BF6
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C08

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00401BAE, 00401BB4, 00401BCE

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Global$AllocFree
String ID: C:\Users\user\AppData\Local\Temp\setup.exe
API String ID: 3394109436-4037476823
Opcode ID: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction ID: d16732292a7d53aa36264d1983316191a85a40c43d81ca2894a5c6bdb3dae948
Opcode Fuzzy Hash: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction Fuzzy Hash: 6921A872600208ABC720EB65CEC495E73E8EB89314765493BF502F72E1DB7CA8518B9D

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68

Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
Opcode Fuzzy Hash: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679

Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD

Function 00406809 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040682F
GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
Instruction ID: abee92fc01d0549169be82d64ea8a54f8020188e09ec540bf7ef67874f21f581
Opcode Fuzzy Hash: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
Instruction Fuzzy Hash: 9DE0D832600118FBDB00AB54DD05E9E7F6EEB44704F114033F601B6190C7B59E21DB98

Function 00405F93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,0040B8F8,00403481,00000009,00000009,00403385,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F), ref: 00405FA7

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405F96

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: FileRead
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 2738559852-292220189
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8

Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
Opcode Fuzzy Hash: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D

Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
CloseHandle.KERNEL32(?), ref: 00405A57

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78

Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\7719.exe,80000000,00000003), ref: 00405F1F
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C

Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D

Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
GlobalFree.KERNELBASE(10003020), ref: 10001464

Memory Dump Source

Source File: 00000008.00000002.3877749639.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.3877679137.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3877782829.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3877915772.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_7719.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID:
API String ID: 1459762280-0
Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22

Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734

Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,004114F7,0040B8F8,00403405,0040B8F8,004114F7,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004), ref: 00405FD6

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4

Function 0040620E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420530,?,?,0040629C,00420530,?,?,?,00000002,C:\Windows\wininit.ini), ref: 00406232

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: e678259d492eddc69303d735af6c58fa5eb03465f078c5ba6a1a088e01eebb4c
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 64D0123244020DBBDF116F90ED01FAB3B1DEB18350F014826FE06A80A1D775D530A725

Function 00406161 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040616B

Part of subcall function 00405FF1: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
Part of subcall function 00405FF1: wsprintfA.USER32 ref: 00406066
Part of subcall function 00405FF1: GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
Part of subcall function 00405FF1: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
Part of subcall function 00405FF1: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
Part of subcall function 00405FF1: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsz7739.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
Part of subcall function 00405FF1: GlobalFree.KERNEL32(00000000), ref: 0040614F

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 299535525-0
Opcode ID: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
Instruction ID: 0556bd0dd0e376f9d1944fcc72f0db357db156cd0d89a75f2f72d3c973fa690a
Opcode Fuzzy Hash: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
Instruction Fuzzy Hash: F0D0C731108602FFDB111B10ED0591B7BA5FF90355F11943EF599940B1DB368461DF09

Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
Opcode Fuzzy Hash: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

Non-executed Functions

Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405646
GetDlgItem.USER32(?,000003EE), ref: 00405655
GetClientRect.USER32(?,?), ref: 00405692
GetSystemMetrics.USER32(00000002), ref: 00405699
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
ShowWindow.USER32(?,00000008), ref: 00405735
GetDlgItem.USER32(?,000003EC), ref: 00405756
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
GetDlgItem.USER32(?,000003F8), ref: 00405664

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

GetDlgItem.USER32(?,000003EC), ref: 004057A7
CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
CloseHandle.KERNEL32(00000000), ref: 004057BC
ShowWindow.USER32(00000000), ref: 004057DF
ShowWindow.USER32(?,00000008), ref: 004057E6
ShowWindow.USER32(00000008), ref: 0040582C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
CreatePopupMenu.USER32 ref: 00405871
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
GetWindowRect.USER32(?,000000FF), ref: 004058A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
OpenClipboard.USER32(00000000), ref: 0040590B
EmptyClipboard.USER32 ref: 00405911
GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
GlobalLock.KERNEL32(00000000), ref: 00405924
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
GlobalUnlock.KERNEL32(00000000), ref: 00405951
SetClipboardData.USER32(00000001,00000000), ref: 0040595C
CloseClipboard.USER32 ref: 00405962

Strings

PB, xrefs: 004058D7

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58

Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048E6
SetWindowTextA.USER32(00000000,?), ref: 00404910
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
CoTaskMemFree.OLE32(00000000), ref: 004049CC
lstrcmpiA.KERNEL32(C:\Windows\wininit.ini,00420D50), ref: 004049FE
lstrcatA.KERNEL32(?,C:\Windows\wininit.ini), ref: 00404A0A
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C

Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95

Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
Part of subcall function 00406666: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5

Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

C:\Users\user\AppData\Roaming\GamePall, xrefs: 004049E7
PB, xrefs: 00404994
C:\Windows\wininit.ini, xrefs: 004049F8, 004049FD, 00404A08
A, xrefs: 004049BA

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$PB
API String ID: 2624150263-292181263
Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00402238

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\GamePall\update
API String ID: 123533781-2725132131
Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54

Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A

Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E21
GetDlgItem.USER32(?,00000408), ref: 00404E2E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
DeleteObject.GDI32(00000110), ref: 00404F0B
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
GetWindowLongA.USER32(?,000000F0), ref: 0040504E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
ShowWindow.USER32(?,00000005), ref: 0040506C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
ImageList_Destroy.COMCTL32(?), ref: 0040523A
GlobalFree.KERNEL32(?), ref: 0040524A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
ShowWindow.USER32(?,00000000), ref: 004053F4
GetDlgItem.USER32(?,000003FE), ref: 004053FF
ShowWindow.USER32(00000000), ref: 00405406

Strings

M, xrefs: 00404FC4
, xrefs: 004053DE
N, xrefs: 004050A5

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58

Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
ShowWindow.USER32(?), ref: 00403F67
GetWindowLongA.USER32(?,000000F0), ref: 00403F79
ShowWindow.USER32(?,00000004), ref: 00403F92
DestroyWindow.USER32 ref: 00403FA6
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
GetDlgItem.USER32(?,?), ref: 00403FDE
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
IsWindowEnabled.USER32(00000000), ref: 00403FF9
GetDlgItem.USER32(?,00000001), ref: 004040A4
GetDlgItem.USER32(?,00000002), ref: 004040AE
SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
GetDlgItem.USER32(?,00000003), ref: 004041BF
ShowWindow.USER32(00000000,?), ref: 004041E0
EnableWindow.USER32(?,?), ref: 004041F2
EnableWindow.USER32(?,?), ref: 0040420D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
EnableMenuItem.USER32(00000000), ref: 0040422A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
SetWindowTextA.USER32(?,00420D50), ref: 0040428E
ShowWindow.USER32(?,0000000A), ref: 004043C2

Strings

PB, xrefs: 0040426F

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 1860320154-3196168531
Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D

Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
GetSysColor.USER32(?), ref: 0040463E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
lstrlenA.KERNEL32(?), ref: 0040465F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
GetDlgItem.USER32(?,0000040A), ref: 004046E5
SendMessageA.USER32(00000000), ref: 004046E8
GetDlgItem.USER32(?,000003E8), ref: 00404713
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
LoadCursorA.USER32(00000000,00007F02), ref: 00404762
SetCursor.USER32(00000000), ref: 0040476B
LoadCursorA.USER32(00000000,00007F00), ref: 00404781
SetCursor.USER32(00000000), ref: 00404784
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4

Strings

6B, xrefs: 0040476F
N, xrefs: 00404701

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4

Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
SetWindowTextA.USER32(00420530,00420530), ref: 00405517
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

4/@, xrefs: 004054EF, 00405501

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8

Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\7719.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

Strings

C:\Users\user\AppData\Local\Temp\7719.exe, xrefs: 00406666
C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
*?|<>/":, xrefs: 004066AE

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\7719.exe
API String ID: 589700163-664637016
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6

Strings

#Vh%.@, xrefs: 00402F34
... %d%%, xrefs: 00402F1B

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE

Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404489
GetSysColor.USER32(00000000), ref: 004044C7
SetTextColor.GDI32(?,00000000), ref: 004044D3
SetBkMode.GDI32(?,?), ref: 004044DF
GetSysColor.USER32(?), ref: 004044F2
SetBkColor.GDI32(?,?), ref: 00404502
DeleteObject.GDI32(?), ref: 0040451C
CreateBrushIndirect.GDI32(?), ref: 00404526

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54

Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
GetMessagePos.USER32 ref: 00404D7B
ScreenToClient.USER32(?,?), ref: 00404D95
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD

Strings

f, xrefs: 00404DA9

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4

Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
GetLastError.KERNEL32 ref: 004059C6
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
GetLastError.KERNEL32 ref: 004059E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405995
!9@, xrefs: 00405984

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: !9@$C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3700438604
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

verifying installer: %d%%, xrefs: 00402E69, 00402E72
unpacking data: %d%%, xrefs: 00402E62

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68

Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
EnumWindows.USER32(10001007,?), ref: 10001074
GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
CloseHandle.KERNEL32(00000000), ref: 100010C5

Memory Dump Source

Source File: 00000008.00000002.3877749639.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.3877679137.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3877782829.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3877915772.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_7719.jbxd

Similarity

API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
String ID:
API String ID: 3465249596-0
Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62

Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
wsprintfA.USER32 ref: 00404CF4
SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

PB, xrefs: 00404CDE
%u.%u%s%s, xrefs: 00404CD6

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
Opcode Fuzzy Hash: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18

Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD

Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\7719.exe), ref: 00405DC1
CharNextA.USER32(00000000), ref: 00405DC6
CharNextA.USER32(00000000), ref: 00405DDA

Strings

C:\, xrefs: 00405DB4

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA

Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040544C
CallWindowProcA.USER32(?,?,?,?), ref: 0040549D

Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463

Strings

, xrefs: 0040542D

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A

Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Windows\wininit.ini,00420530,?,?,?,00000002,C:\Windows\wininit.ini,?,00406527,80000002), ref: 004062B5
RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Windows\wininit.ini,C:\Windows\wininit.ini,C:\Windows\wininit.ini,?,00420530), ref: 004062C0

Strings

C:\Windows\wininit.ini, xrefs: 00406272, 004062A6

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Windows\wininit.ini
API String ID: 3356406503-2725141966
Opcode ID: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
Opcode Fuzzy Hash: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8

Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\7719.exe,C:\Users\user\AppData\Local\Temp\7719.exe,80000000,00000003), ref: 00405D67
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\7719.exe,C:\Users\user\AppData\Local\Temp\7719.exe,80000000,00000003), ref: 00405D75

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405D61

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-1943935188
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD

Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

Memory Dump Source

Source File: 00000008.00000002.3873719572.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3873687727.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3873965077.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.3874291497.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_7719.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

Analysis Process: 96C7.exePID: 5952, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	22.1%
Signature Coverage:	3.3%
Total number of Nodes:	1528
Total number of Limit Nodes:	91

Executed Functions

Function 00E45B80 Relevance: 36.0, APIs: 15, Strings: 1, Instructions: 7953COMMON

Download Yara Rule

Strings

d, xrefs: 00E45BA9

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 33e7af985cc09b953c110c12896718ea96277316e7f1e9ac1f22ee857cffc1a7
Instruction ID: d8122aa7792693f19afd4e0cc5fdb6301b6686c5ab4062eee76239f10c10dbc4
Opcode Fuzzy Hash: 33e7af985cc09b953c110c12896718ea96277316e7f1e9ac1f22ee857cffc1a7
Instruction Fuzzy Hash: 9C143371C04A2C8ACB66DF24EC916EEB775FF46345F1092C9E50A7A241EB319AD1CF81

Function 036E4BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 036E46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,036E4812), ref: 036E46E6
Part of subcall function 036E46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,036E4812), ref: 036E46F3

KiUserCallbackDispatcher.NTDLL(0000004C), ref: 036E4C13
GetSystemMetrics.USER32(0000004D), ref: 036E4C1A
GetDC.USER32(00000000), ref: 036E4C55
GetCurrentObject.GDI32(00000000,00000007), ref: 036E4C68
GetObjectW.GDI32(00000000,00000018,?), ref: 036E4C81
DeleteObject.GDI32(00000000), ref: 036E4CB3
CreateCompatibleDC.GDI32(00000000), ref: 036E4D14
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 036E4D35
SelectObject.GDI32(00000000,00000000), ref: 036E4D47
BitBlt.GDI32(00000000,00000000,00000000,?,036E2468,00000000,?,?,00CC0020), ref: 036E4D6C

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

Part of subcall function 036E3D76: EnterCriticalSection.KERNEL32(036E84D4,?,0000011C), ref: 036E3D88

Part of subcall function 036E3536: GetProcessHeap.KERNEL32(00000000,00000000,036E264F), ref: 036E353D
Part of subcall function 036E3536: RtlFreeHeap.NTDLL(00000000), ref: 036E3544

DeleteObject.GDI32(00000000), ref: 036E4E0A
DeleteDC.GDI32(00000000), ref: 036E4E11
ReleaseDC.USER32(00000000,00000000), ref: 036E4E1A

Strings

2, xrefs: 036E4BCA
- ScreenSize: {lWidth=%d, lHeight=%d}, xrefs: 036E4C9D
gdi3, xrefs: 036E4BBE
6, xrefs: 036E4CF9
(, xrefs: 036E4CED
U, xrefs: 036E4BD3
er32, xrefs: 036E4BDA

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
API String ID: 1387450592-1028866296
Opcode ID: d029a3f918f7b9847df6ee272ef481ac9320b8e84d28a9fa129b09a00cec53ad
Instruction ID: 3c6ce609b85ea208406b67436283927cdddefe0f69beb7eef06b937c44192923
Opcode Fuzzy Hash: d029a3f918f7b9847df6ee272ef481ac9320b8e84d28a9fa129b09a00cec53ad
Instruction Fuzzy Hash: FD719E75D01308ABDB21DFA5DC45BAEBB79EF44700F14805AE505EB394EB709A08CB55

Function 036E1000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 667
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,?), ref: 036E13C7

Part of subcall function 036E407D: GetFileAttributesW.KERNELBASE(00DA0420,036E1035,00DA0420,?), ref: 036E407E

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

FindFirstFileW.KERNELBASE(00000000,?,00DA0420,?), ref: 036E1161

Part of subcall function 036E3EFC: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 036E3F5D
Part of subcall function 036E3EFC: FindNextFileW.KERNEL32(036E1710,?), ref: 036E3FFE

EnterCriticalSection.KERNEL32(036E84D4), ref: 036E1668
LeaveCriticalSection.KERNEL32(036E84D4), ref: 036E1681

Strings

7a?=, xrefs: 036E16A3
Telegram, xrefs: 036E166E
%s%s, xrefs: 036E1487, 036E17C7, 036E195D, 036E19C2
%s\%s, xrefs: 036E11A2
%s\*, xrefs: 036E112A
$Lr, xrefs: 036E1281

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
API String ID: 1893179121-1537637304
Opcode ID: ddc051f7c0e44b0e8c2a185ba014457a1aedc9d7d3c124b011da5a78b717ab16
Instruction ID: 0d7612be4e904e22905f32d1ae30f09b2390694070b8881b4692370e4a7755be
Opcode Fuzzy Hash: ddc051f7c0e44b0e8c2a185ba014457a1aedc9d7d3c124b011da5a78b717ab16
Instruction Fuzzy Hash: CF324576E023149BDF25EBA4C954BBDB3B4AF41700F28405ED415AB394EB308E8DDBA5

Function 036E2054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

GetCurrentHwProfileA.ADVAPI32(?), ref: 036E210B
GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 036E2132
GlobalMemoryStatusEx.KERNELBASE(?), ref: 036E2166
EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 036E21E8

Strings

@, xrefs: 036E215D
- CPU: %s (%d cores), xrefs: 036E2144
- HWID: %s, xrefs: 036E211F
- RAM: %d GB, xrefs: 036E217D
- VideoAdapter #%d: %s, xrefs: 036E21B4

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
API String ID: 330852582-565344305
Opcode ID: fdc2495060bf1a8333ca682565dd5850606ce5b337e7b3f6d4f1b35d2473b688
Instruction ID: 4a15802ee9b31e2a4ec2e6e5fe2c22638b20486ea88b6c59f4d143fbf80b27fc
Opcode Fuzzy Hash: fdc2495060bf1a8333ca682565dd5850606ce5b337e7b3f6d4f1b35d2473b688
Instruction Fuzzy Hash: C241F0B56053059BD721EF14C881BABBBEDEB88310F14492DF9898B341E770D949CBA2

Function 036E4E27 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,036E84D4,?), ref: 036E4ECD
EnterCriticalSection.KERNEL32(036E84D4), ref: 036E4F89

Part of subcall function 036E4E27: LeaveCriticalSection.KERNEL32(036E84D4), ref: 036E4FA6

FindNextFileW.KERNELBASE(?,?), ref: 036E5175

Part of subcall function 036E407D: GetFileAttributesW.KERNELBASE(00DA0420,036E1035,00DA0420,?), ref: 036E407E

Strings

Telegram, xrefs: 036E4F8F
%s\%s, xrefs: 036E4EE7
%s\*, xrefs: 036E4EB7

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
String ID: %s\%s$%s\*$Telegram
API String ID: 648860119-4994844
Opcode ID: dd465a011379b4d69cbeb58ee94ec61e7d05d808789f0da7b7e9130e8cca8148
Instruction ID: 8bbef9e50ce0e4a1cb883b3d6744c496151034090959e94707850919619dc484
Opcode Fuzzy Hash: dd465a011379b4d69cbeb58ee94ec61e7d05d808789f0da7b7e9130e8cca8148
Instruction Fuzzy Hash: 88A19139A15308A9EF10EBA0ED05AFEB775EF44710F20505EE504EF3A0EBB14A49875E

Function 036E1D3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?), ref: 036E1D83

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

FindNextFileW.KERNELBASE(00000000,?), ref: 036E1F07

Strings

%s%s, xrefs: 036E1EC1
%s\%s, xrefs: 036E1E0E
%s\*, xrefs: 036E1D6A

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 3555643018-2064654797
Opcode ID: a57dd9bdd6dd7683dc1fa8503f3fc7183d81f8e6542920e8b9b2069893a1af17
Instruction ID: 7f6cac2689e6955669f43de85c46238fcbb3450aa985f12aec7efc23c2146af6
Opcode Fuzzy Hash: a57dd9bdd6dd7683dc1fa8503f3fc7183d81f8e6542920e8b9b2069893a1af17
Instruction Fuzzy Hash: 1541267920A3458BC724EF24DA44A2EB7E8EF95700F24091EF855CB395EB30C90DC79A

Function 036E1C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 036E46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,036E4812), ref: 036E46E6
Part of subcall function 036E46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,036E4812), ref: 036E46F3

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 036E1CF3
CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 036E1D29

Strings

CRYPT32.dll, xrefs: 036E1CC2
Poverty is the parent of crime., xrefs: 036E1D12

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
String ID: CRYPT32.dll$Poverty is the parent of crime.
API String ID: 3642467563-1885057629
Opcode ID: 73874e8788b189ec22525921f0135d220f2312d037f10dc73148266b28048911
Instruction ID: ac5e31e3e2b5bac4a4e406737b8f6cc2453d07841e2c85087f1a4b1d2d2ecbb6
Opcode Fuzzy Hash: 73874e8788b189ec22525921f0135d220f2312d037f10dc73148266b28048911
Instruction Fuzzy Hash: FB115CB6D0120CABCF10DFD5C880CEEBBBDEB49210F14456AE905B3244E770AE09CBA0

Function 036E21F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(036E84D4,00000DA3), ref: 036E220A
CreateMutexA.KERNELBASE(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 036E2222
GetLastError.KERNEL32 ref: 036E2235

Strings

1e7f31ac-1494-47cc-9633-054c20e7432e, xrefs: 036E2219, 036E2585
- UserAgent: %s, xrefs: 036E2526
shell32, xrefs: 036E2358
$, xrefs: 036E2570
$d.log, xrefs: 036E25EB
kernel32, xrefs: 036E23AC
@, xrefs: 036E2551
systemd, xrefs: 036E2566
- OperationSystem: %d:%d:%d, xrefs: 036E229D

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$shell32$systemd
API String ID: 2005177960-3436640841
Opcode ID: 6cc8e539c742d49f887924822eb2f047b3f461d2602372c7ec968ce167f8aeab
Instruction ID: b8b8fc96bba3084ae3539e4b5f76213514eddc31bdf22024d22bc3006ce8f378
Opcode Fuzzy Hash: 6cc8e539c742d49f887924822eb2f047b3f461d2602372c7ec968ce167f8aeab
Instruction Fuzzy Hash: A4C10235A05348EFEB11FFA0D919BEC7B76AB01705F140059E211AF2C9DB714A4DCB29

Function 036E446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 036E407D: GetFileAttributesW.KERNELBASE(00DA0420,036E1035,00DA0420,?), ref: 036E407E

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

EnterCriticalSection.KERNEL32(036E84D4), ref: 036E44F5
LeaveCriticalSection.KERNEL32(036E84D4), ref: 036E4541
EnterCriticalSection.KERNEL32(036E84D4), ref: 036E45C4
LeaveCriticalSection.KERNEL32(036E84D4), ref: 036E45FD
EnterCriticalSection.KERNEL32(036E84D4), ref: 036E463A
LeaveCriticalSection.KERNEL32(036E84D4), ref: 036E467D
EnterCriticalSection.KERNEL32(036E84D4), ref: 036E4696
LeaveCriticalSection.KERNEL32(036E84D4), ref: 036E46BF

Part of subcall function 036E42EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,036E4574), ref: 036E4305
Part of subcall function 036E42EC: GetProcAddress.KERNEL32(00000000), ref: 036E430E
Part of subcall function 036E42EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,036E4574), ref: 036E431F
Part of subcall function 036E42EC: GetProcAddress.KERNEL32(00000000), ref: 036E4322
Part of subcall function 036E42EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,036E4574), ref: 036E43A4
Part of subcall function 036E42EC: GetCurrentProcess.KERNEL32(036E4574,00000000,00000000,00000002,?,?,?,?,036E4574), ref: 036E43C0
Part of subcall function 036E42EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,036E4574), ref: 036E43CF
Part of subcall function 036E42EC: CloseHandle.KERNEL32(036E4574,?,?,?,?,036E4574), ref: 036E43FF

Part of subcall function 036E3536: GetProcessHeap.KERNEL32(00000000,00000000,036E264F), ref: 036E353D
Part of subcall function 036E3536: RtlFreeHeap.NTDLL(00000000), ref: 036E3544

Strings

@, xrefs: 036E44DB
\??\%s, xrefs: 036E44A4
\Network\Cookies, xrefs: 036E4561

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
String ID: @$\??\%s$\Network\Cookies
API String ID: 330363434-2791195959
Opcode ID: 09cc40ea1cc9a416edd7fda7fba31a21ed1f967df8e67064aadc769430d6733f
Instruction ID: f73857fe04d09cbc4ffe3a4d8e3fc7625b677a8cb0ecaf18715d7190c213616e
Opcode Fuzzy Hash: 09cc40ea1cc9a416edd7fda7fba31a21ed1f967df8e67064aadc769430d6733f
Instruction Fuzzy Hash: F3719D75A01208EFEB05EFA0D949BEDBBB5FB04705F208019F611AF2D5DBB19A49CB11

Function 036E536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 036E46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,036E4812), ref: 036E46E6
Part of subcall function 036E46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,036E4812), ref: 036E46F3

socket.WS2_32(?,00000001,00000000), ref: 036E5480
connect.WS2_32(000000FF,?,00000010), ref: 036E54BF
send.WS2_32(000000FF,00000000,00000000), ref: 036E54E1
send.WS2_32(000000FF,000000FF,00000037,00000000), ref: 036E54FD

Strings

ws2_32.dll, xrefs: 036E53E8
146.70.169.164, xrefs: 036E5494

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: send$HandleLibraryLoadModuleconnectsocket
String ID: 146.70.169.164$ws2_32.dll
API String ID: 2781119014-4085977579
Opcode ID: 840a24a8ab19d6489c2f60ff4f561b093efae33268b8f1b0de84bb819e51aa48
Instruction ID: c57144d92fe55b21cabcf22e49203d0e25593318ab60436f4d3c2846afed844c
Opcode Fuzzy Hash: 840a24a8ab19d6489c2f60ff4f561b093efae33268b8f1b0de84bb819e51aa48
Instruction Fuzzy Hash: 7651C630C04289EEEB12CBE8D8097EDBFB89F16318F144089D661AE2C1D7B5474ACB65

Function 00E4F990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON

Download Yara Rule

Strings

d, xrefs: 00E4F999

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 20603b0301f4f694833e1a371a0bae301f90babdf992bee040671060fc62b928
Instruction ID: e80845f53303f5699677eadf46101aafd430b5fd85e192d437c0022bdc25e2a9
Opcode Fuzzy Hash: 20603b0301f4f694833e1a371a0bae301f90babdf992bee040671060fc62b928
Instruction Fuzzy Hash: 28633570C04A18CACB26DF64D8916EEF7B5FF56345F1096C9E80A3A241EB31AAD5DF40

Function 00E53FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00E53FE9

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b482d6121fcbd486fa262208cc681902c68ae469dc25bb59264401eb40afeccb
Instruction ID: dcb14804334cd9c9f08df295e3d4308452f3b356313a9a3c926cdb82dee09262
Opcode Fuzzy Hash: b482d6121fcbd486fa262208cc681902c68ae469dc25bb59264401eb40afeccb
Instruction Fuzzy Hash: 8E724BB1C04A1CCACB15DFA4D8816EEF7B5FF55349F109689E80A3A281EB319AD5DB40

Function 00E559F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON

Download Yara Rule

Strings

d, xrefs: 00E559F9

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: e5d0df16b04304798511b083bba1a7c2616f42ed134cdf4f9b44562f1e84a9ef
Instruction ID: a417c7e54cf8fd62613af9ad54c7d704928057cb8fd0e9cc886a674120ee683d
Opcode Fuzzy Hash: e5d0df16b04304798511b083bba1a7c2616f42ed134cdf4f9b44562f1e84a9ef
Instruction Fuzzy Hash: 9ED33671C04A18CACB26DF24D9916EEF7B5FF46345F1096CAD80A3A241EB31AAD5CF41

Function 036E484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,036E22C4), ref: 036E486C

Part of subcall function 036E46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,036E4812), ref: 036E46E6
Part of subcall function 036E46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,036E4812), ref: 036E46F3

GetCurrentProcess.KERNEL32(036E22C4), ref: 036E48E0
IsWow64Process.KERNEL32(00000000), ref: 036E48E7

Strings

ntdl, xrefs: 036E4889
l, xrefs: 036E488C

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
String ID: l$ntdl
API String ID: 1207166019-924918826
Opcode ID: f3f548b5f929307eb6fb1ef30bce8cf7d9eb6d4a199a82b8770a2704596f5aa5
Instruction ID: 539a9fe5139df6f94f36ac1a9eb30589b8cb0e30d4c29b012b7e5fc1161dce4b
Opcode Fuzzy Hash: f3f548b5f929307eb6fb1ef30bce8cf7d9eb6d4a199a82b8770a2704596f5aa5
Instruction Fuzzy Hash: 3A81913260A304DAFB26EE25EA5577933BCFB40B10F14155AE2099F3C9DFB4858D871A

Function 00E9FCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_release_startup_lock.LIBCMT ref: 00E9FCF5
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00E9FD09
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00E9FD2F
___scrt_uninitialize_crt.LIBCMT ref: 00E9FD72

Strings

VPWh, xrefs: 00E9FD4E

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
String ID: VPWh
API String ID: 3089971210-353207083
Opcode ID: 25fe390340fac59e0673b046d073e991e97b07d869585d3e77bb89e831b942fd
Instruction ID: a14cdb11f2839afa70e1d353bac2a0c917cc5ad1c597a5d7c4e494e4fc52d9b9
Opcode Fuzzy Hash: 25fe390340fac59e0673b046d073e991e97b07d869585d3e77bb89e831b942fd
Instruction Fuzzy Hash: 942126326083115ACF307B686C07B9E63E4AF47724F203579F990BF2C2DF226C029694

Function 00E53052 Relevance: 6.0, APIs: 4, Instructions: 32
librarysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00E5307F
CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00E530A2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E530B7
FreeLibrary.KERNEL32(?), ref: 00E530C4

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Library$CreateFreeLoadObjectSingleThreadWait
String ID:
API String ID: 2432312608-0
Opcode ID: 4981b0d6e811a2fbcfe534e40f1741050a9d82f4e1b30a61abbe052df3f8fda3
Instruction ID: bc35357bf28ccd7a35982b8988810f87277adbd6f89e1b0fcd59bea77d383da0
Opcode Fuzzy Hash: 4981b0d6e811a2fbcfe534e40f1741050a9d82f4e1b30a61abbe052df3f8fda3
Instruction Fuzzy Hash: FB011970A8031C9FDB249F65DC8DBAA7734FB14315F1006D8FA296B2A1CAB16E84CF50

Function 036E3508 Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID:
API String ID: 1367039788-0
Opcode ID: 807be03accd627e37016c31473e9e4fa853d1dc3263c5468dd5c8dd4ec8681a5
Instruction ID: f3a10b597585b51a2522f34666c645ec53170cae779f30a1be94159a8c880cb7
Opcode Fuzzy Hash: 807be03accd627e37016c31473e9e4fa853d1dc3263c5468dd5c8dd4ec8681a5
Instruction Fuzzy Hash: 20D09E73601120A7DB6076E9B80C99BAA6CEF95963705105AF205CB15CCAA4880987A1

Function 036E46D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,036E4812), ref: 036E46E6
LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,036E4812), ref: 036E46F3

Strings

ntdl, xrefs: 036E46E1, 036E46F2

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: ntdl
API String ID: 4133054770-3973061744
Opcode ID: c5cac9fd66fd61225fe060c6c6a6ecc73775fc77235002a5558a8fd4aaf79d0d
Instruction ID: 30b10cea9102aea5bbb010da33a53be073d09b2fff6f9c9c5516e28a41df1bb1
Opcode Fuzzy Hash: c5cac9fd66fd61225fe060c6c6a6ecc73775fc77235002a5558a8fd4aaf79d0d
Instruction Fuzzy Hash: 6231CE39E012159BCF25CFA9C494ABEF7B5FF4A314F080299C41197341CB34A959CBE0

Function 00EAEDE2 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EAEF97

Part of subcall function 00EAAC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00E9FB1F,00000000,?,00E5322C,00000000,?,00E413A5,00000000), ref: 00EAAC47

__freea.LIBCMT ref: 00EAEFAA
__freea.LIBCMT ref: 00EAEFB7

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 6dc19a6b91d38198432509139c6d8b393509103b5d74c065d1a2002e8a549791
Instruction ID: 7fc78aa148efea2b43018b10753ec65d1ee1abec6f02d35157e619a12a2b8a81
Opcode Fuzzy Hash: 6dc19a6b91d38198432509139c6d8b393509103b5d74c065d1a2002e8a549791
Instruction Fuzzy Hash: AC518176700206AFEB219F649C85EAB76A9EF5A754F191029FD04FF340E770EC50C661

Function 00EB2F61 Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00EB2A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00EB2AC0

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00EB2DA5,?,00000000,?,00000000,?), ref: 00EB2FC2
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EB2DA5,?,00000000,?,00000000,?), ref: 00EB2FFE

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: c3058188daa7293716ec9e91fb7cedb0918ab2b25e2b0d9087e8ef31d75a744b
Instruction ID: 349d4d72ba44ba401150730a9d42a0e97c40ff5f2feb6649b48323017433590a
Opcode Fuzzy Hash: c3058188daa7293716ec9e91fb7cedb0918ab2b25e2b0d9087e8ef31d75a744b
Instruction Fuzzy Hash: C1515730A003458EDB21DF79C882AEBFBF5EF41308F18656ED186AB251E6759A06CB50

Function 00EAE1D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE(?,00EAEED2,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00EAE207
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00EAEED2,?,?,-00000008,?,00000000), ref: 00EAE225

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: fa0f3a6f8559aa78098c4665803baaef3ca54e8bb4969eecd954308055f6e31c
Instruction ID: 36f89704d0f86f328fa834d4f3a23f323614fa2e97af29a5c2abe1e5ea25ed8a
Opcode Fuzzy Hash: fa0f3a6f8559aa78098c4665803baaef3ca54e8bb4969eecd954308055f6e31c
Instruction Fuzzy Hash: A1F0683200011ABBCF126F91DC05EDE3E6AFB4D760F058510FA186A131C732E831ABA0

Function 036E3536 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,036E264F), ref: 036E353D
RtlFreeHeap.NTDLL(00000000), ref: 036E3544

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 27a2639fc69d4aa9ec1fd8e44c3ed6efa52a5095c0bbf6077133bb761cece956
Instruction ID: 64d62c3061d34a25d9b718301776fee3316e977ca40df2bfdf66a58bca190f93
Opcode Fuzzy Hash: 27a2639fc69d4aa9ec1fd8e44c3ed6efa52a5095c0bbf6077133bb761cece956
Instruction Fuzzy Hash: 31B012F45021006BEF5C77E0BE0DB3A3718BB10703F142088F203DA24CD668C50E8620

Function 00EB2B69 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,00EB2DA5,?), ref: 00EB2B9B

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 523d5daa8d568f4b7e389a8f8d172b3ed5311ea62efcd946b23fb32cb095e39d
Instruction ID: 53c83739d6ac7abd8178c5ff6b5ec307656d45ac1f5c35b9e3b7fde00e2d6ac2
Opcode Fuzzy Hash: 523d5daa8d568f4b7e389a8f8d172b3ed5311ea62efcd946b23fb32cb095e39d
Instruction Fuzzy Hash: 5C5127B1504158AEDB118E28CDC4BEABFACFF15304F1411EDE699A7182D335AD89DF60

Function 00E9FB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00EA037B

Part of subcall function 00EA106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00EA038E,?,?,?,?,00EA038E,?,00EC8484), ref: 00EA10CC

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ExceptionRaisestdext::threads::lock_error::lock_error
String ID:
API String ID: 3447279179-0
Opcode ID: f7b11e9b91bdaeefedc78d06f302b44b94dcdce62e2191c8bb6ae4b1f6fa5e6c
Instruction ID: 79ba96613e7b14e731467f399819f9bd487071b3cf8bca8e5b6f2c95c92785ef
Opcode Fuzzy Hash: f7b11e9b91bdaeefedc78d06f302b44b94dcdce62e2191c8bb6ae4b1f6fa5e6c
Instruction Fuzzy Hash: E3F0B43480030DB6CF04BAB4ED5AE9D37AC9A09354F606170F974BA0D2FF70FA498195

Function 00E41460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMTD ref: 00E41477

Part of subcall function 00E53D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00E53D89

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
String ID:
API String ID: 2103942186-0
Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
Instruction ID: e48b56c0a1800da802a6b7c1d46fb9f4c1a36632fd3344a114f8dc2c00a24a62
Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
Instruction Fuzzy Hash: 9AF04474D01108ABCF14EFB8E5816ADF7B1EF44344F1091E9E815A7355D630AF90DB85

Function 00EAAC15 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00E9FB1F,00000000,?,00E5322C,00000000,?,00E413A5,00000000), ref: 00EAAC47

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a06f9fc3d81e2151b6960e3238bcf13fc978967bd65ae38ac7044a4deae5cb0
Instruction ID: 66fcf560718daafeb34b89e7b12dfe80ea2347ce874d3ae2ef5d8602170684dd
Opcode Fuzzy Hash: 6a06f9fc3d81e2151b6960e3238bcf13fc978967bd65ae38ac7044a4deae5cb0
Instruction Fuzzy Hash: F6E0E521244B156BF73136259C01B9BFA889F8B3B4F1C2170BD44BE2D0CB60FC00C2A2

Function 00E77B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000007,?,?), ref: 00E54B9E

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cf7bc3aa903ab3109f03d42f29084ea334242b244b99f36d316b0f70bcf7bf67
Instruction ID: 7099e6e4cac6d98c269ad06fff322772e2558e5480be79a2a233c443b8bee1e6
Opcode Fuzzy Hash: cf7bc3aa903ab3109f03d42f29084ea334242b244b99f36d316b0f70bcf7bf67
Instruction Fuzzy Hash: F8D012B6A10118CBCB209B69AC0B7A2777CF744317F14269DED5867102DB33491A8F40

Function 00E413B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 00E413BC

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
Instruction ID: 234c89acd38384d50c21150d981d600837423b995e2a6603dbe62b287347fb8f
Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
Instruction Fuzzy Hash: A5C09B7011410C5B8744DF88E491D5573DD9B887147004155BD0D4B351CA30FD40C954

Function 036E407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00DA0420,036E1035,00DA0420,?), ref: 036E407E

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 986eba1e915399e3cbe4098669295e9f96777bbdde92a66605db4874661fd44a
Instruction ID: 40f2141d4253a44d3c4ea947ad791d844ad6d1a1c3dc022851af19cb40f7b420
Opcode Fuzzy Hash: 986eba1e915399e3cbe4098669295e9f96777bbdde92a66605db4874661fd44a
Instruction Fuzzy Hash: 0EA022B80302008BCB2C23300B2A00E30000E0A2F23220B8CB033CC0C8EA28C3C20000

Function 00E67EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 00E58B81

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b8716e49dc4b9451f16d23452c0f99de79676403a92a046abad83714ab0d661c
Instruction ID: 16512609dba9521b97d957bd5c7b0d3661ae1e04685d27ea233ade2ce7dea054
Opcode Fuzzy Hash: b8716e49dc4b9451f16d23452c0f99de79676403a92a046abad83714ab0d661c
Instruction Fuzzy Hash: E721E5B5C059288ADB62CF24CE867EDB7B9AF52341F10A6C6D80D76202DB305AC99F10

Non-executed Functions

Function 00EB5458 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,jW,00000002,00000000,?,?,?,00EB576A,?,00000000), ref: 00EB54F1
GetLocaleInfoW.KERNEL32(?,20001004,jW,00000002,00000000,?,?,?,00EB576A,?,00000000), ref: 00EB551A
GetACP.KERNEL32(?,?,00EB576A,?,00000000), ref: 00EB552F

Strings

jW, xrefs: 00EB550B, 00EB5528, 00EB54E2, 00EB54FB, 00EB54E5, 00EB550E
ACP, xrefs: 00EB5476
OCP, xrefs: 00EB54AC

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP$jW
API String ID: 2299586839-4263510081
Opcode ID: 0abc3bda50b65bc49adc5672a8612798c4603a5c9c7017f0f7b1af5f85c0e5fb
Instruction ID: 1108d15b1bc7d5cb6f85abbf247f2a8d2f47b8acd5f299433638b8289ec930f8
Opcode Fuzzy Hash: 0abc3bda50b65bc49adc5672a8612798c4603a5c9c7017f0f7b1af5f85c0e5fb
Instruction Fuzzy Hash: E621D333601901AADB308F55D905BD773A7EF50B6AB66A424E91BFB100F732DE80C750

Function 036E3EFC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

Part of subcall function 036E407D: GetFileAttributesW.KERNELBASE(00DA0420,036E1035,00DA0420,?), ref: 036E407E

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 036E3F5D
FindNextFileW.KERNEL32(036E1710,?), ref: 036E3FFE

Strings

%s%s, xrefs: 036E4047
%s\%s, xrefs: 036E3F97
%s\*, xrefs: 036E3F47

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 674214967-2064654797
Opcode ID: 129e0c23c382a969c63863fb3b6225bb9373956ba6c09d55bda5e467ceda55da
Instruction ID: 4736b8380032208110a5ccff4e8df921fd604e43e7dc9f960e570ad30cf5509b
Opcode Fuzzy Hash: 129e0c23c382a969c63863fb3b6225bb9373956ba6c09d55bda5e467ceda55da
Instruction Fuzzy Hash: BC311A79A0231857CF22FB20CD48ABDB7759F40211F1801A8EC149B390EF319E4ECB54

Function 00EB5634 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00EB573C
IsValidCodePage.KERNEL32(00000000), ref: 00EB577A
IsValidLocale.KERNEL32(?,00000001), ref: 00EB578D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00EB57D5
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00EB57F0

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 150a5fdfeda373644a8e1f3a25c293886a9a683e1ad0f1fa9cb3adb3537e63f0
Instruction ID: 665635824818c0318670984abd0859211c114bfc3dfcb5b2e281cd0240eb5179
Opcode Fuzzy Hash: 150a5fdfeda373644a8e1f3a25c293886a9a683e1ad0f1fa9cb3adb3537e63f0
Instruction Fuzzy Hash: 4D516C72A00A19AFEB20EBA5CC45BFF77F8AF09704F145479A910FB191EB7099448B61

Function 00EB4CBF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

GetACP.KERNEL32(?,?,?,?,?,?,00EA89B1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00EB4D7E
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00EA89B1,?,?,?,00000055,?,-00000050,?,?), ref: 00EB4DB5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00EB4F18

Strings

utf8, xrefs: 00EB4E87

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 8575de547b46d2ce32c17f3eb0f5b1ea973f743a73c8d5dccf43701a3a1d0ea9
Instruction ID: 27a334ecd3b5c81622f3aa25eebe6d6c000cbeb4bd5a56205638c45ae9fab8d5
Opcode Fuzzy Hash: 8575de547b46d2ce32c17f3eb0f5b1ea973f743a73c8d5dccf43701a3a1d0ea9
Instruction Fuzzy Hash: 5871F8B1A00206AADB25AB74DC86BFB73E8EF45704F15242AF615FB1C2EB74E9408651

Function 036E40BA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 036E410D
FindNextFileW.KERNEL32(000000FF,?), ref: 036E4159

Part of subcall function 036E3536: GetProcessHeap.KERNEL32(00000000,00000000,036E264F), ref: 036E353D
Part of subcall function 036E3536: RtlFreeHeap.NTDLL(00000000), ref: 036E3544

Strings

%s\%s, xrefs: 036E416D
%s\*, xrefs: 036E40F7

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: FileFindHeap$FirstFreeNextProcess
String ID: %s\%s$%s\*
API String ID: 1689202581-2848263008
Opcode ID: 0b8d0dce976bcbfaf83c0c9aa6025fd4b8a19acb9d1b6d887e73764613cfb2fe
Instruction ID: dee75e3e876ee7374370faa862c56efd86ec2f2b4d2b120d08ea2b599c192bf1
Opcode Fuzzy Hash: 0b8d0dce976bcbfaf83c0c9aa6025fd4b8a19acb9d1b6d887e73764613cfb2fe
Instruction Fuzzy Hash: 0631C67CB023149BCF21EF76CD846BEBBA9AF54240F240079D805CB345EF309A598B94

Function 00EA0495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00EA04A1
IsDebuggerPresent.KERNEL32 ref: 00EA056D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EA0586
UnhandledExceptionFilter.KERNEL32(?), ref: 00EA0590

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: f2045b5b6f846fb70094c29c7d9d41370d0508ae9f6d53d183565b096a625e4a
Instruction ID: d05b56008f72f9707c69da54dd106e1dd269734586f1fc8abaa3a0f60b9e8674
Opcode Fuzzy Hash: f2045b5b6f846fb70094c29c7d9d41370d0508ae9f6d53d183565b096a625e4a
Instruction Fuzzy Hash: 6031F7B5D05218DBDF21EFA5D9897CDBBF8AF08304F1041AAE50DAB250EB749A84CF45

Function 00EB50DC Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EB5130
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EB517A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EB5240

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: c1bbddbd7cad5bac8ed8ff7011b79a93ed50db6c966985dadc4ab41840cf0ed3
Instruction ID: 9e1ff80e3a2616eaa2ef47fb9e8ec48f9a93ab54792681b6cf39c5a08f654220
Opcode Fuzzy Hash: c1bbddbd7cad5bac8ed8ff7011b79a93ed50db6c966985dadc4ab41840cf0ed3
Instruction Fuzzy Hash: BF619C72911A079FEB289F28CC82BEB77F8EF04344F1450BAE905E6295E774D981CB50

Function 00EA4383 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00EA447B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00EA4485
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00EA4492

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b53ae59636f8c7c4f76df80a8814a7d3561960b028279199364e27de228b99bf
Instruction ID: 0eabcd50c78415b1856d30d976ff3101d276525faa906aaf00d671f1a1303267
Opcode Fuzzy Hash: b53ae59636f8c7c4f76df80a8814a7d3561960b028279199364e27de228b99bf
Instruction Fuzzy Hash: 8631E5749012289BCB21DF64D88978DBBF8BF4D310F5052EAE51CAB291E774AF858F44

Function 00EA013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00EA0152

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bde6ae921eb2309e78c6d5f510ef251715d934caa16f2b67b61da9f8a6a8e8c1
Instruction ID: 390990d91e411b7e06b221364c3532f98b651e9a24123447f245ad302a389b41
Opcode Fuzzy Hash: bde6ae921eb2309e78c6d5f510ef251715d934caa16f2b67b61da9f8a6a8e8c1
Instruction Fuzzy Hash: 5F51AFB19056098FDB29CF65D886BAAB7F0FB48308F24903AC416FB251E376AD05CB50

Function 00EB532F Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00EB5383

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b6dba54a768ffdf4e9987dcc4ec01996c317a9313909f071d12ab89b054cebed
Instruction ID: cf72fdb37d702fb472389dc4521ecb52e3b467a0eff46f995d708c4481a8e3e2
Opcode Fuzzy Hash: b6dba54a768ffdf4e9987dcc4ec01996c317a9313909f071d12ab89b054cebed
Instruction Fuzzy Hash: 8C21D333610606ABDB28AB15DC82BFB33E8EF55354B14207AFD01E6241EB74EC41CB50

Function 00EB4FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

EnumSystemLocalesW.KERNEL32(00EB50DC,00000001,00000000,?,-00000050,?,00EB5710,00000000,?,?,?,00000055,?), ref: 00EB5028

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9faeb1643ad59516b92f9ab94a559bb94cea4d570930d97f074e1a385627a957
Instruction ID: bf4d76ca1c97cc7ae2e1d3a2da46336e7a8f147f04f5ca893912d77963c90b99
Opcode Fuzzy Hash: 9faeb1643ad59516b92f9ab94a559bb94cea4d570930d97f074e1a385627a957
Instruction Fuzzy Hash: EE1129372007059FDB18AF39C8916BBB791FF84358B14442CEA4667741D3717842C740

Function 00EB555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00EB52F8,00000000,00000000,?), ref: 00EB558A

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ee72e31102faad8502d669bbd4cdd10c84d34a1a743686fba20400163400d8f1
Instruction ID: 3d3c6c78df10c2c66e71176a1131306b7c15bb15f43563e1b35d2eb3a69d8cb3
Opcode Fuzzy Hash: ee72e31102faad8502d669bbd4cdd10c84d34a1a743686fba20400163400d8f1
Instruction Fuzzy Hash: 5101A233601612ABDB28AA248C45BFB37A5EB40759F154428ED06B31C0EA24FE41CA90

Function 00EB5051 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

EnumSystemLocalesW.KERNEL32(00EB532F,00000001,00000000,?,-00000050,?,00EB56D8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00EB509B

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c0f4aba3a83ea31af7b2d5b77e3c49fe08d04417236881d4f2b20c7d24a94e43
Instruction ID: 5cb7c0e7ac673d77a2a532f54dbaaeecee8d9ad11f76e0237f9f2d7fb9397a80
Opcode Fuzzy Hash: c0f4aba3a83ea31af7b2d5b77e3c49fe08d04417236881d4f2b20c7d24a94e43
Instruction Fuzzy Hash: EAF0C837300B045FDB246F7998917AB7BD1EF84358B05442DFA455B680D6719C42C690

Function 00EADBC7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EA49CA: EnterCriticalSection.KERNEL32(-00ECB8A8,?,00EA76D7,00000000,00EC8C40,0000000C,00EA769F,?,?,00EADB90,?,?,00EAAA8E,00000001,00000364,00000000), ref: 00EA49D9

EnumSystemLocalesW.KERNEL32(00EADBBA,00000001,00EC8E30,0000000C,00EADF92,00000000), ref: 00EADBFF

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 97d5572b870fec6bcd9934b03bbd262cdd6c96036250ba67baa6074892dd9491
Instruction ID: 9b4b69ee33ee7b1d9a1bcc8f4e36e5c40e481e55da7ff6ea2cae9075fb5b6f48
Opcode Fuzzy Hash: 97d5572b870fec6bcd9934b03bbd262cdd6c96036250ba67baa6074892dd9491
Instruction Fuzzy Hash: 33F03C72A04318DFDB00DF59D902B9D77F0EB49720F00412AE501BB2A1CBB56905CB50

Function 00EB4F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EAA8F0: GetLastError.KERNEL32(?,?,00EA71B7,?,?,?,?,00000003,00EA4382,?,00EA42F1,?,00000000,00EA4500), ref: 00EAA8F4
Part of subcall function 00EAA8F0: SetLastError.KERNEL32(00000000,00000000,00EA4500,?,?,?,?,?,00000000,?,?,00EA459E,00000000,00000000,00000000,00000000), ref: 00EAA996

EnumSystemLocalesW.KERNEL32(00EB4EC4,00000001,00000000,?,?,00EB5732,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00EB4FA2

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 12eaff9db4bccc70ef54efcbb9109b075189f6ee4b3246067e99ef40a4ce5635
Instruction ID: ca2db0783d8ff210a323a05b60db10953370a1fe680b20a694c87b2b89f02353
Opcode Fuzzy Hash: 12eaff9db4bccc70ef54efcbb9109b075189f6ee4b3246067e99ef40a4ce5635
Instruction Fuzzy Hash: 31F0EC357003455BCF049F35D8456BBBF94EFC1714B064059EE059F692C6759C43C790

Function 00EAE096 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00EA9527,?,20001004,00000000,00000002,?,?,00EA8B19), ref: 00EAE0CA

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 87ca3cb18c9c8ad1b8ec846b8859415c9e59aed869e6fbd18e4cebec5f7ccbab
Instruction ID: f79595811c383de21b25df7724aafa6f4be671aa020d951bcf86946f2f50d10f
Opcode Fuzzy Hash: 87ca3cb18c9c8ad1b8ec846b8859415c9e59aed869e6fbd18e4cebec5f7ccbab
Instruction Fuzzy Hash: 84E04F3150012CBBCF122F61DC04F9E7E6AFF4A760F044410FD057A261CB71A920EAE5

Function 00EA0622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,00E9FC56), ref: 00EA0627

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 56a5c7fad11f9917222b58273ec7429a93b74fd2ebc48449ff23e50be67e4e96
Instruction ID: 0600d7f30cbadd3bfa97b8f48d034d3d223557ac7fa8a28aa8accbf390225676
Opcode Fuzzy Hash: 56a5c7fad11f9917222b58273ec7429a93b74fd2ebc48449ff23e50be67e4e96
Instruction Fuzzy Hash:

Function 00EB5891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00EB5891

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: cdc42fba187889a4d329d8dafeae8352779e5fd94243007e15494caa6e32ab20
Instruction ID: 38433f8e98e42fc5672b7a690c0090ec3e4cb4072d95ef733f2ed512cdee07a8
Opcode Fuzzy Hash: cdc42fba187889a4d329d8dafeae8352779e5fd94243007e15494caa6e32ab20
Instruction Fuzzy Hash: 66A01230202101CF43004F365F0920936E86705580F0141685000E2120D72040049A00

Function 036E42EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,036E4574), ref: 036E4305
GetProcAddress.KERNEL32(00000000), ref: 036E430E
GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,036E4574), ref: 036E431F
GetProcAddress.KERNEL32(00000000), ref: 036E4322

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,036E4574), ref: 036E43A4
GetCurrentProcess.KERNEL32(036E4574,00000000,00000000,00000002,?,?,?,?,036E4574), ref: 036E43C0
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,036E4574), ref: 036E43CF
CloseHandle.KERNEL32(036E4574,?,?,?,?,036E4574), ref: 036E43FF
GetCurrentProcess.KERNEL32(036E4574,00000000,00000000,00000001,?,?,?,?,036E4574), ref: 036E440D
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,036E4574), ref: 036E441C
CloseHandle.KERNEL32(?,?,?,?,?,036E4574), ref: 036E442F
CloseHandle.KERNEL32(000000FF), ref: 036E4452
CloseHandle.KERNEL32(?), ref: 036E445A

Strings

NtQueryObject, xrefs: 036E4310
NtQuerySystemInformation, xrefs: 036E42FB
ntdll, xrefs: 036E4300, 036E4317

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
String ID: NtQueryObject$NtQuerySystemInformation$ntdll
API String ID: 3110323036-2044536123
Opcode ID: bdaea7162858002f6e87bc5e242c844ffd22600d3521b6717700055a815d3dd7
Instruction ID: 1e812f2c6305adcfbfec2987a7c8e1a55ad9bd27a6e58322a0541dcbe855a6fd
Opcode Fuzzy Hash: bdaea7162858002f6e87bc5e242c844ffd22600d3521b6717700055a815d3dd7
Instruction Fuzzy Hash: 3B419472A01219EBDB11EBF69D48AAEBBB9EF44611F144065F510E7294DF70CA48CBA0

Function 00E43930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E43959
_Yarn.LIBCPMTD ref: 00E4396B
_Yarn.LIBCPMTD ref: 00E4397A
_Yarn.LIBCPMTD ref: 00E43989
_Yarn.LIBCPMTD ref: 00E43998
_Yarn.LIBCPMTD ref: 00E439A7
_Yarn.LIBCPMTD ref: 00E439B6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E439CD

Part of subcall function 00E9CF3B: _Yarn.LIBCPMT ref: 00E9CF5A
Part of subcall function 00E9CF3B: _Yarn.LIBCPMT ref: 00E9CF7E

Strings

bad locale name, xrefs: 00E439D7

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3904239083-1405518554
Opcode ID: 5de8c84b7b89095da6ae2e9998d4b8e62d2d4b293fda4b68871a3c82b7fa88e2
Instruction ID: 14b8f233f64d09b18e582be912cc41a40d37603516a57cef9ca8200044c8ec82
Opcode Fuzzy Hash: 5de8c84b7b89095da6ae2e9998d4b8e62d2d4b293fda4b68871a3c82b7fa88e2
Instruction Fuzzy Hash: C5214DB0A04249DBCF05EBA8D952BAEBBB1BF44308F54555CF6123B7C2CB755A04CB61

Function 036E2991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 036E2A7C

Strings

0123456789abcdef, xrefs: 036E29F1
(null), xrefs: 036E2B0D
(null), xrefs: 036E2B87
0123456789ABCDEF, xrefs: 036E29F8

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-1267642376
Opcode ID: 47dcdbd9d372de249319c15d8574a0ee9729233e485061228b4b09691bd2ab8b
Instruction ID: e1e80ba9731c5b8e5172fb43f3b59bb6e7727654873c6f71d55c359692dda8fe
Opcode Fuzzy Hash: 47dcdbd9d372de249319c15d8574a0ee9729233e485061228b4b09691bd2ab8b
Instruction Fuzzy Hash: B19190716063068FD725DF28C4A062AF7EAFF85308F184D6EE49A87751E770E889CB51

Function 00EA32E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00EA3400
___TypeMatch.LIBVCRUNTIME ref: 00EA350E
_UnwindNestedFrames.LIBCMT ref: 00EA3660
CallUnexpected.LIBVCRUNTIME ref: 00EA367B

Strings

csm, xrefs: 00EA3437
csm, xrefs: 00EA331E
csm, xrefs: 00EA338B

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 44bb38ff6fa1707ad6dbe160218c083f230c24d248369fc7296294c1751a7bac
Instruction ID: c2a7db6956acd127c488ee0dba48ce70da9dba4113dab100fa0ea9c7cbd50a3a
Opcode Fuzzy Hash: 44bb38ff6fa1707ad6dbe160218c083f230c24d248369fc7296294c1751a7bac
Instruction Fuzzy Hash: FFB15671D00209EFCF25DFA8C8819AEBBB5AF4E314B14659AF8117F212D731EA51CB91

Function 00EB1338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00EB15B2, 00EB15B7

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 235b90b1007fe38bf03e158ff99621c4ce076606e6c8b20a1cfc7c79f27cc0f8
Instruction ID: fe47ae215605dfb41ecf63b04a3ee313bf1cd3bc8d5ff355286e61ecbdd957b6
Opcode Fuzzy Hash: 235b90b1007fe38bf03e158ff99621c4ce076606e6c8b20a1cfc7c79f27cc0f8
Instruction Fuzzy Hash: 46B14671E042089FDB11DF99C8A1BEF7BB1BF89324F585198E501BB295C770AD46CB60

Function 036E1F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32 ref: 036E1F90
GetKeyboardLayoutList.USER32(00000032,?), ref: 036E1FF2

Strings

- SystemLayout %d, xrefs: 036E1FCC
{%d} , xrefs: 036E2025
), xrefs: 036E2042
- KeyboardLayouts: ( , xrefs: 036E1FDB

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: DefaultKeyboardLanguageLayoutListUser
String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
API String ID: 167087913-619012376
Opcode ID: e4966a44b603121509eee4b86fe174e0dd8a29f978a2be298bd33b91c4e15fe8
Instruction ID: 13d0b51cd2ecab13ad35c7653c99233c1c87ec3ba975ed60f77ccf3d6fa961f0
Opcode Fuzzy Hash: e4966a44b603121509eee4b86fe174e0dd8a29f978a2be298bd33b91c4e15fe8
Instruction Fuzzy Hash: F531EF64E08288AADB019FE4D4017FDBB70AF14302F40509AF558EB282E7794B4EC76A

Function 00EADD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,05713596,?,00EADEA3,00000000,00E413A5,00000000,00000000), ref: 00EADE55

Strings

api-ms-, xrefs: 00EADDEB
ext-ms-, xrefs: 00EADDFF

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: f30814c624112aaf4c30bbdbdd5d658c2f32c77429570b7cfc6a2e241449d24d
Instruction ID: dedccf62a7c78d21b891142d3204af1f843b80f839391d985b9a96a7d9d8c10f
Opcode Fuzzy Hash: f30814c624112aaf4c30bbdbdd5d658c2f32c77429570b7cfc6a2e241449d24d
Instruction Fuzzy Hash: E821D871E04310ABCB219B61DC45AAB3758EB9B7A4F246220E917BF6D1D731FD05C6E0

Function 00E9E516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E9E51D
std::_Lockit::_Lockit.LIBCPMT ref: 00E9E527
int.LIBCPMTD ref: 00E9E53E

Part of subcall function 00E446D0: std::_Lockit::_Lockit.LIBCPMT ref: 00E446E6
Part of subcall function 00E446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00E44710

codecvt.LIBCPMT ref: 00E9E561
std::_Facet_Register.LIBCPMT ref: 00E9E578
std::_Lockit::~_Lockit.LIBCPMT ref: 00E9E598
Concurrency::cancel_current_task.LIBCPMTD ref: 00E9E5A5

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 6244f3538aa039aaf0e6f78e2da0aac528647b2d56b104c316b9d4f6bd64a596
Instruction ID: 1f0ee6d7f887fd42b71bd1bf5b9008fc1a0735cf0050a635768cc78c48422081
Opcode Fuzzy Hash: 6244f3538aa039aaf0e6f78e2da0aac528647b2d56b104c316b9d4f6bd64a596
Instruction Fuzzy Hash: 2211A2B19002149FCB10EB68D8467AE77F5BF84324F152519F505BB391EFB4AE058B90

Function 00E9D7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E9D7AF
std::_Lockit::_Lockit.LIBCPMT ref: 00E9D7B9
int.LIBCPMTD ref: 00E9D7D0

Part of subcall function 00E446D0: std::_Lockit::_Lockit.LIBCPMT ref: 00E446E6
Part of subcall function 00E446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00E44710

codecvt.LIBCPMT ref: 00E9D7F3
std::_Facet_Register.LIBCPMT ref: 00E9D80A
std::_Lockit::~_Lockit.LIBCPMT ref: 00E9D82A
Concurrency::cancel_current_task.LIBCPMTD ref: 00E9D837

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 26dbce59834093d103e08ee7eed6c24d0d1bbbc8f31e83c120497ea8d579ea62
Instruction ID: 45d39a0c0ebe471e06b2770a359dd87532fa02142f2c5c2ccfe505b76f82bb93
Opcode Fuzzy Hash: 26dbce59834093d103e08ee7eed6c24d0d1bbbc8f31e83c120497ea8d579ea62
Instruction Fuzzy Hash: 6C01C4799041259BCF14FB649D42AAEB7B5AF84310F241419E8117B291DF749E09CB80

Function 00E9F8DE Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00E9F927
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00E9F992
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9F9AF
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00E9F9EE
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9FA4D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E9FA70

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 742fa872d93133b603d89656d98f918d800489fdbad21568c82198ed7100393c
Instruction ID: 07752e85761aa4106d5cb8840c022d2085015efa977b58fd2d68917311a5a96f
Opcode Fuzzy Hash: 742fa872d93133b603d89656d98f918d800489fdbad21568c82198ed7100393c
Instruction Fuzzy Hash: 05518D72A0020ABFDF209FA4CC85FAB7BA9EB48754F145539F919FA190DBB49D10CB50

Function 036E3084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

x, xrefs: 036E33C4

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 4a384aa784d5807e24ed6c12c139a101d6002b81d55e534da8d4c3de14b80173
Instruction ID: 156ea2b754f84a20eebf8334a419149121e2a987e16841ed7553491b907f1f1d
Opcode Fuzzy Hash: 4a384aa784d5807e24ed6c12c139a101d6002b81d55e534da8d4c3de14b80173
Instruction Fuzzy Hash: 0F029F79E01249EFCB45CF98C984AADB7F4FB09304F14845AE866EB350D730AA16CF65

Function 00EA2FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EA2FA1,00EA16DC,00EA0672), ref: 00EA2FB8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EA2FC6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA2FDF
SetLastError.KERNEL32(00000000,00EA2FA1,00EA16DC,00EA0672), ref: 00EA3031

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3d07b57d15c50983c75a8c1c2b62e41f0309b6fa44b0a354ffbbf89e9d3125a8
Instruction ID: 25b43b17917be3f36652dfcbd75e6982c52e96f2aac2cd8d7b64383173cd4f77
Opcode Fuzzy Hash: 3d07b57d15c50983c75a8c1c2b62e41f0309b6fa44b0a354ffbbf89e9d3125a8
Instruction Fuzzy Hash: 5B0128322093215DD6252AB57CC6F1B6694EBAB7B87202339F2107D0E1EF926C055245

Function 00EA80CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,05713596,?,?,00000000,00EB8AEC,000000FF,?,00EA80A8,?,?,00EA807C,00000000), ref: 00EA8101
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA8113
FreeLibrary.KERNEL32(00000000,?,00000000,00EB8AEC,000000FF,?,00EA80A8,?,?,00EA807C,00000000), ref: 00EA8135

Strings

CorExitProcess, xrefs: 00EA810B
mscoree.dll, xrefs: 00EA80FA

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 03280340c6b2a53fe19abeed7a52072a8a97cf6d6b1a23e9f0d7819dfb6544be
Instruction ID: 90afdc5b0d1d61e3d49a1203449f74bf6a0e92a9225249c7832a112f13795754
Opcode Fuzzy Hash: 03280340c6b2a53fe19abeed7a52072a8a97cf6d6b1a23e9f0d7819dfb6544be
Instruction Fuzzy Hash: 2601DB31500629EFCB119F55CD05FAFBBB8FB09714F000639F911B2290DF749805CA50

Function 00E41E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E41E40
int.LIBCPMTD ref: 00E41E59

Part of subcall function 00E446D0: std::_Lockit::_Lockit.LIBCPMT ref: 00E446E6
Part of subcall function 00E446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00E44710

Concurrency::cancel_current_task.LIBCPMTD ref: 00E41E99
std::_Lockit::~_Lockit.LIBCPMT ref: 00E41F01

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 50aba9e26eb2c5545d59b9e670f208ebb3eb4ec2759ef3590c33ccd1445df178
Instruction ID: 9a53ce57f6e309e2b35b3b20f3d99f775317695b08596da0e8c255f7e40ec9e3
Opcode Fuzzy Hash: 50aba9e26eb2c5545d59b9e670f208ebb3eb4ec2759ef3590c33ccd1445df178
Instruction Fuzzy Hash: E83138B4D00249DFCF04EFA4D992BEEBBB0BB48310F205659E81577391DB306A44CBA1

Function 00E41F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E41F40
int.LIBCPMTD ref: 00E41F59

Part of subcall function 00E446D0: std::_Lockit::_Lockit.LIBCPMT ref: 00E446E6
Part of subcall function 00E446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00E44710

Concurrency::cancel_current_task.LIBCPMTD ref: 00E41F99
std::_Lockit::~_Lockit.LIBCPMT ref: 00E42001

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 1c88b58becde6fdb5e158f3585be92b031840e77d33138dc1f9130850244da70
Instruction ID: 4cf7260ae4fb84fd4416cfbfe23cf6204c5e45e68292d8eec2ae4c58bf24cfa0
Opcode Fuzzy Hash: 1c88b58becde6fdb5e158f3585be92b031840e77d33138dc1f9130850244da70
Instruction Fuzzy Hash: 6B3107B1E00249DBCF04EFA4D992AEEBBB0BF58310F205659E41177391DB745A49CBA1

Function 00E9CE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E9CE44
std::_Lockit::_Lockit.LIBCPMT ref: 00E9CE4F
std::_Lockit::~_Lockit.LIBCPMT ref: 00E9CEBD

Part of subcall function 00E9CFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E9CFB8

std::locale::_Setgloballocale.LIBCPMT ref: 00E9CE6A
_Yarn.LIBCPMT ref: 00E9CE80

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 06a13b1c04a77220a25673f09fea4dee311a074c213eb1e9ed975591cac9da3c
Instruction ID: 899a8291de575ff7efb17958fd1f5c9bc13dec254e715d6ee51eff86a29c87f4
Opcode Fuzzy Hash: 06a13b1c04a77220a25673f09fea4dee311a074c213eb1e9ed975591cac9da3c
Instruction Fuzzy Hash: C201D4756011109FCB05FB21D89697E77A6BF89300F282019E90277381DF746E0ACBC1

Function 00EA4072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00EA4023,00000000,?,00ECB824,?,?,?,00EA41C6,00000004,InitializeCriticalSectionEx,00EBB270,InitializeCriticalSectionEx), ref: 00EA407F
GetLastError.KERNEL32(?,00EA4023,00000000,?,00ECB824,?,?,?,00EA41C6,00000004,InitializeCriticalSectionEx,00EBB270,InitializeCriticalSectionEx,00000000,?,00EA3F7D), ref: 00EA4089
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00EA40B1

Strings

api-ms-, xrefs: 00EA4096

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 0930113698e05da4c4454120b717f178654d31d2b91e854ed8a3c7c5fc10d93a
Instruction ID: 29bfa91651971069dd60dbe0e13b6c7346a0543a444725c278bdff71f08cb0c7
Opcode Fuzzy Hash: 0930113698e05da4c4454120b717f178654d31d2b91e854ed8a3c7c5fc10d93a
Instruction Fuzzy Hash: 95E01270684204BBDF202B61DC46B5A3A949B45B55F145020FF0CFC0E1D7A2A85599DA

Function 00EAF497 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(05713596,00000000,00000000,00000000), ref: 00EAF4FA

Part of subcall function 00EB1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00EAEF8D,?,00000000,-00000008), ref: 00EB1F1E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EAF74C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00EAF792
GetLastError.KERNEL32 ref: 00EAF835

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: e59dbacf2a5320ac27abd03bd573175ab318419ecd68553e322bbbb9d6eee589
Instruction ID: 24d78caabd72d8adc8d02055e7ca52fa57014daade6c19b1e96603e1765fedec
Opcode Fuzzy Hash: e59dbacf2a5320ac27abd03bd573175ab318419ecd68553e322bbbb9d6eee589
Instruction Fuzzy Hash: B7D168B5D002489FCB15CFE8D8809EDBBB5EF4A314F28452AE826FB255D730A946CB50

Function 00EA308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00EA3151
___AdjustPointer.LIBCMT ref: 00EA3174
___AdjustPointer.LIBCMT ref: 00EA3210

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: daaddffa36879d74fe30d8391d20ec56a329053805dabd05bf7e2e3eab96b029
Instruction ID: d44891b2aa9488f7442fed807e589671ec70de04422bc681acf3d1f03e8aca26
Opcode Fuzzy Hash: daaddffa36879d74fe30d8391d20ec56a329053805dabd05bf7e2e3eab96b029
Instruction Fuzzy Hash: D051E1716062069FDB288F20D841BAAB7A5EF5A314F14552EF806AF291D731FE41C790

Function 00EB227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00EB1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00EAEF8D,?,00000000,-00000008), ref: 00EB1F1E

GetLastError.KERNEL32 ref: 00EB22DE
__dosmaperr.LIBCMT ref: 00EB22E5
GetLastError.KERNEL32(?,?,?,?), ref: 00EB231F
__dosmaperr.LIBCMT ref: 00EB2326

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: f6c4e67f484a8e093115a87b19dd309ca4b19386284b94014273b951b7c49d0d
Instruction ID: 746f135b3332158fb7d5ab6382f3a0921bc014c2b8b87a05cd7e109b36fcc7da
Opcode Fuzzy Hash: f6c4e67f484a8e093115a87b19dd309ca4b19386284b94014273b951b7c49d0d
Instruction Fuzzy Hash: 0721D732600606AFDF20AF618C818EBB7E9FF49368710991CFA19FB151D774ED0097A0

Function 00EA7478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3999218b61056281945e6addef303438f86c0a302b1f072004b194941b13e7c
Instruction ID: c354ecc44cbec6f65ea890fa6ff8d92fcf9d1a1d8863d9d6fa700a30a96b4686
Opcode Fuzzy Hash: a3999218b61056281945e6addef303438f86c0a302b1f072004b194941b13e7c
Instruction Fuzzy Hash: 0C218072A08605AFDB20EF759C9096B7BA9AF8E3687105924F994FF151E770FD0087A0

Function 00EB321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EB3226

Part of subcall function 00EB1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00EAEF8D,?,00000000,-00000008), ref: 00EB1F1E

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EB325E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EB327E

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 1006d3791d4892661f2704829efa7ea8667d11637d2aa74420a0b6f6e4ea2060
Instruction ID: 907f1cdbd210daf74780d1ad820e9686652a4c279c856afa893395e15724fbeb
Opcode Fuzzy Hash: 1006d3791d4892661f2704829efa7ea8667d11637d2aa74420a0b6f6e4ea2060
Instruction Fuzzy Hash: 391100B1502216BFA71127BA9CCFCEF39ECDE893A8B102564F902F1111FB20DE0091B1

Function 00EB7C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00EB6B6B,00000000,00000001,0000000C,00000000,?,00EAF889,00000000,00000000,00000000), ref: 00EB7C52
GetLastError.KERNEL32(?,00EB6B6B,00000000,00000001,0000000C,00000000,?,00EAF889,00000000,00000000,00000000,00000000,00000000,?,00EAFE2C,?), ref: 00EB7C5E

Part of subcall function 00EB7C24: CloseHandle.KERNEL32(FFFFFFFE,00EB7C6E,?,00EB6B6B,00000000,00000001,0000000C,00000000,?,00EAF889,00000000,00000000,00000000,00000000,00000000), ref: 00EB7C34

___initconout.LIBCMT ref: 00EB7C6E

Part of subcall function 00EB7BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EB7C15,00EB6B58,00000000,?,00EAF889,00000000,00000000,00000000,00000000), ref: 00EB7BF9

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00EB6B6B,00000000,00000001,0000000C,00000000,?,00EAF889,00000000,00000000,00000000,00000000), ref: 00EB7C83

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5a0eb078ac42b69cacd9e9936d5ab48b841eb517eee0dba000d639df2f9c95f1
Instruction ID: 7b6da519fe8eba470eeeb7c3e22986b4f7c2e76f9a2290086d4fbceea8a4c267
Opcode Fuzzy Hash: 5a0eb078ac42b69cacd9e9936d5ab48b841eb517eee0dba000d639df2f9c95f1
Instruction Fuzzy Hash: A8F01C36505119BFCF222FD6DC08DDB7F76EB883A4F064164FA09A5521C6328820EF91

Function 036E2C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 036E2E3D

Strings

x, xrefs: 036E2F32

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
String ID: x
API String ID: 1990697408-2363233923
Opcode ID: 512a792b631d9958bec44dc926d6281ccefd10bb151ad7ac0344c4abc2738cce
Instruction ID: fad7fd6ec0d62907ad8240dbe279cc3464e79aedee5bc3c3d1eae4e1f26095f3
Opcode Fuzzy Hash: 512a792b631d9958bec44dc926d6281ccefd10bb151ad7ac0344c4abc2738cce
Instruction Fuzzy Hash: C102CE74905249EFCF05DF98C994AAEBBF5BF09300F148899E865EB350D730AA89CF51

Function 00EABBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EABC8D

Strings

pow, xrefs: 00EABC65, 00EABC82

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e495a8c1894a475dd45a7f84539a52781b168272665390443078dbddf7c761cb
Instruction ID: 709fa104847e6865c73e10f3ae52fd0930a7782b96e5426ef039f11587a47569
Opcode Fuzzy Hash: e495a8c1894a475dd45a7f84539a52781b168272665390443078dbddf7c761cb
Instruction Fuzzy Hash: 5251BD7190820186CB117714CD417BBBBD0DB4AB24F307D69F096BE2AAEF35ACC5DA45

Function 00EA2DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00EA2DEF
__IsNonwritableInCurrentImage.LIBCMT ref: 00EA2EA3

Strings

csm, xrefs: 00EA2E8D

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9557839acfcedf74f6f7f72d674ddf85d394acd0dda86c8e7f95c058d8239037
Instruction ID: 869dae4561ad46880d480a0b37d75e7798f343f8c126f60cf8913b7d6116d61a
Opcode Fuzzy Hash: 9557839acfcedf74f6f7f72d674ddf85d394acd0dda86c8e7f95c058d8239037
Instruction Fuzzy Hash: 1A41B134A002099BCF01DF6CC844A9EBBF5AF0A318F14D159E9147F392D731AE55CB91

Function 00EA3686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00EA36AB

Strings

MOC, xrefs: 00EA36BD
RCC, xrefs: 00EA36C5

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 47286309a8dd1f5ceec9bcb9c7e644367b4f4a2fc57770ad5064200ec9cf26d2
Instruction ID: 02a2b9abc19b5fedf2d890a6914e76d22743c9ef3e93cc454ebe0ceb41b80a21
Opcode Fuzzy Hash: 47286309a8dd1f5ceec9bcb9c7e644367b4f4a2fc57770ad5064200ec9cf26d2
Instruction Fuzzy Hash: 2B4148B1900209AFCF15DFA8CD81AEEBBB5FF49304F145199FA057B221D335AA50DB50

Function 00E9C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 00E9C9E8
task.LIBCPMTD ref: 00E9C9F6

Strings

}{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 00E9C92A

Memory Dump Source

Source File: 00000009.00000002.3438795068.0000000000E41000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000009.00000002.3438528568.0000000000E40000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3439739609.0000000000ECA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440110573.0000000000ECB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.3440312350.0000000000ECC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e40000_96C7.jbxd

Similarity

API ID: Concurrency::task_continuation_context::task_continuation_contexttask
String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
API String ID: 605201214-2946796713
Opcode ID: 0165bde3a832898896a67496aa4bde3fbeec55609f783c0a49842ea2a82988b9
Instruction ID: a892769dee64a81b1629025fcb73b31e839fb1c1331c8fab413f6bc024ab548f
Opcode Fuzzy Hash: 0165bde3a832898896a67496aa4bde3fbeec55609f783c0a49842ea2a82988b9
Instruction Fuzzy Hash: AA31E271D042199BCF04EF98C992BEEBBB1FB49304F20911AE415B7291DB746A00CBA0

Function 036E3D1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,036E3DC1,00000000,?,0000011C), ref: 036E3D34

Part of subcall function 036E3508: EnterCriticalSection.KERNEL32(036E84D4,?,?,036E3BE5,?,036E2251), ref: 036E3512
Part of subcall function 036E3508: GetProcessHeap.KERNEL32(00000008,?,?,?,036E3BE5,?,036E2251), ref: 036E351B
Part of subcall function 036E3508: RtlAllocateHeap.NTDLL(00000000,?,?,?,036E3BE5,?,036E2251), ref: 036E3522
Part of subcall function 036E3508: LeaveCriticalSection.KERNEL32(036E84D4,?,?,?,036E3BE5,?,036E2251), ref: 036E352B

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,036E3DC1,00000000,?,0000011C), ref: 036E3D6A

Strings

$d.log, xrefs: 036E3D2B, 036E3D63

Memory Dump Source

Source File: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_36e0000_96C7.jbxd

Yara matches

Similarity

API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
String ID: $d.log
API String ID: 635875880-1910398676
Opcode ID: a932eee0cf596c7d884a95a5444964a88429925423424d171b0547d53a7dc699
Instruction ID: 7c7a8cd39aa75e54713cc1b0c302f25306d3c897040273f9367a96613e77d7a5
Opcode Fuzzy Hash: a932eee0cf596c7d884a95a5444964a88429925423424d171b0547d53a7dc699
Instruction Fuzzy Hash: 2DF0E2B52011207F6324AAAAEC08C777EACDBC2B71314422DFC18CF3C4D9209C0482B0

Analysis Process: svgbehtPID: 6788, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	20.6%
Signature Coverage:	0%
Total number of Nodes:	141
Total number of Limit Nodes:	5

Executed Functions

Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69

Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65

Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24

Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64

Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64

Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64

Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64

Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040311D
NtTerminateProcess.NTDLL ref: 00403136

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5

Function 00417640 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 218
stringmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,00000000), ref: 004176D4
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004176E2
WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 004176F9
lstrcpynW.KERNEL32(?,00000000,00000000), ref: 00417710
GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417719
SetFileApisToANSI.KERNEL32 ref: 0041771F
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00417760
SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00417768
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00417777
EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00417780
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 00417792
GetModuleHandleExW.KERNEL32(00000000,0041931C,?), ref: 004177AE
GlobalAlloc.KERNEL32(00000000,00000000), ref: 004177D9
AddAtomA.KERNEL32(00000000), ref: 004177E0
GetCommProperties.KERNELBASE(00000000,?), ref: 004177EE
GetTickCount.KERNEL32 ref: 004177F4
GetLastError.KERNEL32 ref: 004177FA
ZombifyActCtx.KERNEL32(00000000), ref: 0041780D
GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 0041781C
FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417838
LoadLibraryA.KERNELBASE(004193A0), ref: 004178E1

Strings

}$, xrefs: 00417903
tl_, xrefs: 004176B4
k`, xrefs: 004178F6

Memory Dump Source

Source File: 0000000A.00000002.2967432866.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_40b000_svgbeht.jbxd

Similarity

API ID: Console$AtomFileModuleName$AliasesAllocApisBoundsCommCountDateEnumErrorExchangeFoldFormatsGlobalHandleInterlockedLastLibraryLoadMountOutputPointPropertiesReadRectStringTickVolumeWriteZombifylstrcatlstrcpyn
String ID: k`$tl_$}$
API String ID: 3342591227-211918992
Opcode ID: 0b436240d99ffb49eba0d716691840d996ebfc4b3f18bc31f3653c2c31673b30
Instruction ID: be13a3e2899ae1437650d09e993ac3f4cd5df6ea62933a217ab08d843738736c
Opcode Fuzzy Hash: 0b436240d99ffb49eba0d716691840d996ebfc4b3f18bc31f3653c2c31673b30
Instruction Fuzzy Hash: A171AB71845528AFD721AB65DC88CDF7B78FF09354B00846AF505E2160CF388A89CFAD

Function 0279003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0279024D

Strings

cess, xrefs: 0279018D
kernel32.dll, xrefs: 0279008F, 02790095

Memory Dump Source

Source File: 0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2790000_svgbeht.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 0b062163da4da8698c08d9d65777322b606f2f8f89e90ca5f5619ab13f77384b
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 4F527874A11229DFDB64CF68D984BACBBB1BF09314F1480D9E94DAB351DB30AA85CF14

Function 027B1F2A Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 027B1F52
Module32First.KERNEL32(00000000,00000224), ref: 027B1F72

Memory Dump Source

Source File: 0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp, Offset: 027AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_27af000_svgbeht.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5dcf52cac46809a8172e39a8db412d2a708f77e47d56b38e0322008f65d19f3e
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C7F0F6322013156FD7213BF8AC9CFAEB6EDAF4A624F500568E64AD10C0DB70E805CA60

Function 02790E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02790223,?,?), ref: 02790E19
SetErrorMode.KERNELBASE(00000000,?,?,02790223,?,?), ref: 02790E1E

Memory Dump Source

Source File: 0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2790000_svgbeht.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: e75083ef5cf135af8fd535d034f2640e4408e5747bab793bf37e20e10de5eb7d
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 3ED0123515522877DB003A94DC09BCD7B1CDF05B66F008011FB0DD9080C770954046E5

Function 004173C2 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000040,?), ref: 004173D8

Memory Dump Source

Source File: 0000000A.00000002.2967432866.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_40b000_svgbeht.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68

Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F

Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F

Function 027B1BE9 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 027B1C3A

Memory Dump Source

Source File: 0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp, Offset: 027AF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_27af000_svgbeht.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: bb8b79dd7303e807e5b684c1b61eac10beb1364011d6f02dfbe3f11e236bf918
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 11113C79A00208EFDB01DF98C999E98BBF5AF08351F558094F9489B361D371EA50EF80

Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F

Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F

Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 0000000A.00000002.2967308020.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_svgbeht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

Function 004173A1 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0041788F), ref: 004173AB

Memory Dump Source

Source File: 0000000A.00000002.2967432866.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_40b000_svgbeht.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: cb277be0a3992133d9d926f909f17ca531406a750540cb22e4a7424897a2784b
Instruction ID: 43d98c38037be9b0da97174d463232e07300d4bae8a73e002124a5be647132f1
Opcode Fuzzy Hash: cb277be0a3992133d9d926f909f17ca531406a750540cb22e4a7424897a2784b
Instruction Fuzzy Hash: 3CB09270845205CAE2005F70D84470EBFE1FB4C202F828829E40496284DAB114089E60

Function 004173A3 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0041788F), ref: 004173AB

Memory Dump Source

Source File: 0000000A.00000002.2967432866.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_40b000_svgbeht.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
Instruction ID: d55db0c2126c828c826ef05274ed4aaa6eabc9571a3453db39e0ff1d3a989bdf
Opcode Fuzzy Hash: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
Instruction Fuzzy Hash: B6B01270C80204DFDB000FB0EC44B0C7FA1B30C302F40C415F50441158CFB004289F20

Non-executed Functions

Function 00417526 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041753D
OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 0041755A
BuildCommDCBW.KERNEL32(00000000,?), ref: 00417565
LoadLibraryA.KERNEL32(00000000), ref: 0041756C

Memory Dump Source

Source File: 0000000A.00000002.2967432866.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_40b000_svgbeht.jbxd

Similarity

API ID: Object$BuildCommCreateLibraryLoadOpen
String ID:
API String ID: 2043902199-0
Opcode ID: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
Instruction ID: 90512e1d2625494c81f44d3c8dd56ea1961f3cc6f9370a523a930c536b4937fe
Opcode Fuzzy Hash: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
Instruction Fuzzy Hash: DDE0C931842528EFC7116B65EC488DF7FADFF0A359B41C025F50591115DB784A49CFE9

Function 004173E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(02705280), ref: 004174AC
GetProcAddress.KERNEL32(00000000,0041D350), ref: 004174E9

Strings

, xrefs: 00417432

Memory Dump Source

Source File: 0000000A.00000002.2967432866.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_40b000_svgbeht.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
Instruction ID: 45946ed8e24b5ff65f6d6728d957c430149eac3a472d67054be7f2f938815656
Opcode Fuzzy Hash: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
Instruction Fuzzy Hash: 0A31A0B5D883C4DCF30187A4B8497B23B61AB15B04F48882AD954CB2A5D7FA1458C72F

Function 0041757D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 004175C5
SleepEx.KERNEL32(00000000,00000000), ref: 004175CF

Strings

-, xrefs: 004175DB

Memory Dump Source

Source File: 0000000A.00000002.2967432866.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_40b000_svgbeht.jbxd

Similarity

API ID: ComputerNameSleep
String ID: -
API String ID: 3354815184-2547889144
Opcode ID: c1331dce079a91ad5d80a21376cde5ad65eb13f020d06da4c1b01d90ac832ba8
Instruction ID: ebeafa1bb34f9a4184a15c16daf5d23565cbd7f10216a92778f2b2cd1c8db9a3
Opcode Fuzzy Hash: c1331dce079a91ad5d80a21376cde5ad65eb13f020d06da4c1b01d90ac832ba8
Instruction Fuzzy Hash: 7901D630804218E6C7609F64D881BDEBBF8FB08324F5181AAE58196085CF345ACC8FD9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: SmokeLoader

Threatname: Poverty Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat

C:\Users\user\AppData\Local\Temp\53FF.exe

C:\Users\user\AppData\Local\Temp\7719.exe

C:\Users\user\AppData\Local\Temp\96C7.exe

C:\Users\user\AppData\Local\Temp\nsaC2D3.tmp

C:\Users\user\AppData\Local\Temp\nsn3C59.tmp\liteFirewall.dll

C:\Users\user\AppData\Local\Temp\nsu7719.tmp

Windows Analysis Report
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre